How to operate mysql in python to prevent your own program from being maliciously injected later (to put it bluntly, I am asking about some key points of anti-injection in python)
滿天的星座
滿天的星座 2017-06-14 10:50:54
0
2
819

Is it necessary to refer to previous anti-injection documents in languages ​​​​such as php or java? It’s really hard to find anti-injection documentation related to python

滿天的星座
滿天的星座

reply all(2)
黄舟

1.Pass

cursor.execute("select * from table where name=%s", "name")

Anti-injection.

2.If passed

sql = "select * from table where name=%s" % MySQLdb.escape_string(name)

This format requires MySQLdb.escape_string(name) to prevent injection.

It is recommended to use the first one.

学霸
sql = "INSERT INTO `users` (`email`, `password`) VALUES (%s, %s)"
cursor.execute(sql, ('webmaster@python.org', 'very-secret'))

One thing I know is not to use sql.format("x1", "x2"), but to pass the parameters to cursor.execute for processing

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template