Is "cgi.escape" necessary in a Python application?

Question

Was looking over a developer's code. He did something that I have never seen before in a Python application. His background is in PHP and is just learning python, so I don't know if this is perhaps a holdover from the different system architectures that he is used to working with.

He told me that the purpose of this code is to prevent the user from attacking the application via code insertion. I'm pretty sure this is unnecessary for our use case since we are never evaluating the data as code, but I just wanted to make sure and ask the community.

# Import library
from cgi import escape

# Get information that the client submitted
fname   = GET_request.get('fname',   [''] )[0]

# Make sure client did not submit malicious code <- IS THIS NECESSARY?
if fname:
    fname = escape(fname)

Is this typically necessary in a Python application?
In what situations is it necessary?
In what situations is it not necessary?

Well, what *are* you doing with it? The potential exploits depend a lot on that. — , Nov 30 '12 at 18:40
We are getting it and then storing it in a PostgreSQL database — Chris Dutrow, Nov 30 '12 at 18:42

score 7 · Accepted Answer · edited May 23 '17 at 10:29

If user input is going into a database, or anywhere else it might be executed, then code injection could be a problem.

This question asks about ways to prevent code injection in php, but the principle is the same - SQL queries containing malicious code get executed, potentially doing things like deleting all your data.

The escape function converts <, > and & characters into html-safe sequences.

From those two links it doesn't look like escape() is enough on it's own, but something does need to be done to stop malicious code. Of course this may well be being taken care of elsewhere in your code.

Is "cgi.escape" necessary in a Python application?

1 Answers1