Python web programming security

[Karel]

Hello,

I'm looking for suggestions about Python security. I have a relatively small webserver, providing "VIP" webhosting (read not the usual slow server+PHP+MySQL+unlimited traffic except when you really use it) and I need to have an "administration panel". I didn't go for ISPConfig or anything similar, they are overcomplicated and hard to customize for my (customers') needs (e.g. joining svn, Trac, phpBB, email and ftp logins together). My current panel is a bunch of PHP scripts, it 'works' but is very hard to maintain (adding new features is even harder).

Recently, I read through several Python manuals and it seems to me that the language provides exactly what I need. It has less overhead than Java and is 'nicer' (object-oriented, readable) than PHP/Perl. Now, making the administration interface itself is simple, as are several SQL queries to add e.g. ftp users, but rest of the scripts (I guess 80%) is just checking and sanitizing user input, checking permission (e.g. whether current user can edit this domain emails).

I wasn't able to find any tutorials about preventing SQL injections etc., but I guess there will be a simple function to do that (as I have seen many Python web frameworks). Also, are there any nice tutorials about mod_python sessions? Python seems to have better support for sessions, as you probably can save a whole class instance (I'm not sure about this).

I wonder what should I do...