Python:连接到 MySQL 和执行查询的最佳实践和最安全的方式
在 MySQL 上运行查询的最安全方法是什么?我知道 MySQL 和 SQL 注入所涉及的危险.
What is the safest way to run queries on MySQL? I am aware of the dangers involved with MySQL and SQL injection.
但是,我不知道应该如何运行查询以防止注入其他用户(网络客户端)可以操作的变量.我曾经写过自己的转义函数,但显然这是未完成".
However, I do not know how I should run my queries to prevent injection on the variables to which other users (webclients) can manipulate. I used to write my own escape function, but apparently this is "not-done".
我应该使用什么以及我应该如何使用它通过 python 在 MySQL 数据库上安全地查询和插入,而不会冒 MySQL 注入的风险?
What should I use and how should I use it to query and do inserts safely on a MySQL database through python without risking MySQL injection?
推荐答案
为了避免注入,使用 execute
和 %s
代替每个变量,然后传递值通过列表或元组作为 execute
的第二个参数.这是文档中的示例:
To avoid injections, use execute
with %s
in place of each variable, then pass the value via a list or tuple as the second parameter of execute
. Here is an example from the documentation:
c=db.cursor()
max_price=5
c.execute("""SELECT spam, eggs, sausage FROM breakfast
WHERE price < %s""", (max_price,))
请注意,这是使用逗号,而不是%(这将是直接的字符串替换,而不是转义).不要这样做:
Note that this is using a comma, not % (which would be a direct string substitution, not escaped). Don't do this:
c.execute("""SELECT spam, eggs, sausage FROM breakfast
WHERE price < %s""" % (max_price,))
此外,如果参数是驱动程序提供的字符串,则不得在位置持有者 ('%s'
) 周围使用单引号.
In addition, you must not use single quotes around the position holder ('%s'
) if the parameter is a string as the driver provides these.
相关文章