Python:连接到 MySQL 和执行查询的最佳实践和最安全的方式

2021-11-20 00:00:00 python mysql sql-injection

在 MySQL 上运行查询的最安全方法是什么?我知道 MySQL 和 SQL 注入所涉及的危险.

What is the safest way to run queries on MySQL? I am aware of the dangers involved with MySQL and SQL injection.

但是,我不知道应该如何运行查询以防止注入其他用户(网络客户端)可以操作的变量.我曾经写过自己的转义函数,但显然这是未完成".

However, I do not know how I should run my queries to prevent injection on the variables to which other users (webclients) can manipulate. I used to write my own escape function, but apparently this is "not-done".

我应该使用什么以及我应该如何使用它通过 python 在 MySQL 数据库上安全地查询和插入,而不会冒 MySQL 注入的风险?

What should I use and how should I use it to query and do inserts safely on a MySQL database through python without risking MySQL injection?

推荐答案

为了避免注入,使用 execute%s 代替每个变量,然后传递值通过列表或元组作为 execute 的第二个参数.这是文档中的示例:

To avoid injections, use execute with %s in place of each variable, then pass the value via a list or tuple as the second parameter of execute. Here is an example from the documentation:

c=db.cursor()
max_price=5
c.execute("""SELECT spam, eggs, sausage FROM breakfast
          WHERE price < %s""", (max_price,))

请注意,这是使用逗号,而不是%(这将是直接的字符串替换,而不是转义).不要这样做:

Note that this is using a comma, not % (which would be a direct string substitution, not escaped). Don't do this:

c.execute("""SELECT spam, eggs, sausage FROM breakfast
          WHERE price < %s""" % (max_price,))

此外,如果参数是驱动程序提供的字符串,则不得在位置持有者 ('%s') 周围使用单引号.

In addition, you must not use single quotes around the position holder ('%s') if the parameter is a string as the driver provides these.

相关文章