special character handling

Joonas Paalasmaa joonas at olen.to
Thu Nov 1 18:31:48 CET 2001


"Michael P. Soulier" wrote:
> 
>     Hello.
> 
>     When I'm coding in PHP, my job is made very easy due to the existence of
> functions that automagickally protect special characters with backslashes,
> translate special html characters to their corresponding html entities, strip
> all but allowed html tags, etc. I've looked in latest Python docs, and the
> Vaults of Parnassus, and I have yet to find such generic, ready-to-use
> functions.
>     It's true that I could create some of this using the existing internet and
> markup data handling classes, but the point is that they're not made yet.
> Before I go to the trouble of writing such a library, as I'd rather use Python
> than PHP, does anyone know if someone has beaten me to it?
> 
>     I'm thinking of such generic functions as
> 
>     addslashes(), stripslashes(), striphtml(), etc.
> 
>     If not, anyone here is of course welcome to help me write such a library,
> and I'll ensure that it ends up in tvops

sgmllib module can strip HTML.
See example at
http://mail.python.org/pipermail/python-list/2001-May/041075.html

Builtin repr() function is very useful for some escaping tasks.
Here's an sql example where user_input can contain unsafe data.

>>> user_input = "';\ndrop table usertable; select * from usertable where name like ';"
>>> print "select * from usertable where name like %s" % repr(user_input) #with repr
select * from usertable where name like "';
drop table usertable; select * from usertable where name like '";
>>> print "select * from usertable where name like '%s'" % (user_input) #without repr
select * from usertable where name like '';
drop table usertable; select * from usertable where name like '';

As you can see the repr() function handles all unsafe characters.

>>> print repr(""" '`" """)
' \'`" '


--
Joonas Paalasmaa



More information about the Python-list mailing list