Validating User Input in Flask

Key Concepts

• Form Validation
• Data Sanitization
• Error Handling

1. Form Validation

Form validation ensures that the data submitted by users meets the required criteria. This prevents incorrect or malicious data from being processed. Flask-WTF, an extension of Flask, provides easy-to-use form validation.

from flask_wtf import FlaskForm
from wtforms import StringField, SubmitField
from wtforms.validators import DataRequired, Length

class MyForm(FlaskForm):
    name = StringField('Name', validators=[DataRequired(), Length(min=2, max=20)])
    submit = SubmitField('Submit')
    

2. Data Sanitization

Data sanitization involves cleaning and filtering user inputs to remove any harmful content. This helps in preventing security vulnerabilities like SQL injection and XSS attacks.

from flask import Flask, request
from markupsafe import escape

app = Flask(__name__)

@app.route('/submit', methods=['POST'])
def submit():
    user_input = escape(request.form['user_input'])
    return f'Sanitized Input: {user_input}'
    

3. Error Handling

Error handling in form validation ensures that users are informed about any issues with their input. This is crucial for a good user experience. Flask-WTF provides built-in error messages that can be displayed to the user.

from flask import Flask, render_template
from forms import MyForm

app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def index():
    form = MyForm()
    if form.validate_on_submit():
        return f'Form submitted successfully. Name: {form.name.data}'
    return render_template('index.html', form=form)
    

In the example above, if the form validation fails, Flask-WTF will automatically add error messages to the form object, which can be displayed in the template.