If I receive post data with Flask, put that data into a WTForms form and it successfully validates, is it safe from SQL injection attacks?

Question

I am using Flask, WTForms, and the OurSQL MySQL library for my app. I receive post data from the request.form variable. I put that into a WTForms form object. I call validate() on that form, and then insert the form data into a MySQL database using OurSQL.

Without doing any additional processing, am I safe from SQL injection? Does the WTForms validate method do escaping? If not, what should I do to escape the data? An example of what I am doing looks like this:

form = MyWTFFormsForm(request.form)
if form.validate():
    cursor.execute("INSERT INTO mytable VALUES (?, ?, ?, ?, ?);",
            (form.field1.data, form.field2.data, form.field3.data,
             form.field4.data,
             form.field5.data))

Answer 1

As far as I know, neither WTForms nor Flask escape the data for SQL, but using placeholders like you're doing there eliminates the need for escaping.

Answer 2

Form validation and SQL are separate concerns. The job of form validation is to make sure the data makes sense. The job of the SQL code is to store the data safely. SQL injection attacks are basically attacks on the SQL-related code. The snippet you provided, using cursor.execute and ? placeholders, will do proper quoting before sending data to SQL, so there is no possibility for an SQL injection.