special character handling
joonas at olen.to
Thu Nov 1 18:31:48 CET 2001
"Michael P. Soulier" wrote:
> When I'm coding in PHP, my job is made very easy due to the existence of
> functions that automagickally protect special characters with backslashes,
> translate special html characters to their corresponding html entities, strip
> all but allowed html tags, etc. I've looked in latest Python docs, and the
> Vaults of Parnassus, and I have yet to find such generic, ready-to-use
> It's true that I could create some of this using the existing internet and
> markup data handling classes, but the point is that they're not made yet.
> Before I go to the trouble of writing such a library, as I'd rather use Python
> than PHP, does anyone know if someone has beaten me to it?
> I'm thinking of such generic functions as
> addslashes(), stripslashes(), striphtml(), etc.
> If not, anyone here is of course welcome to help me write such a library,
> and I'll ensure that it ends up in tvops
sgmllib module can strip HTML.
See example at
Builtin repr() function is very useful for some escaping tasks.
Here's an sql example where user_input can contain unsafe data.
>>> user_input = "';\ndrop table usertable; select * from usertable where name like ';"
>>> print "select * from usertable where name like %s" % repr(user_input) #with repr
select * from usertable where name like "';
drop table usertable; select * from usertable where name like '";
>>> print "select * from usertable where name like '%s'" % (user_input) #without repr
select * from usertable where name like '';
drop table usertable; select * from usertable where name like '';
As you can see the repr() function handles all unsafe characters.
>>> print repr(""" '`" """)
' \'`" '
More information about the Python-list