Daquan query usage:
1. Comparison Operators
# id > 3 res = models.UserInfo.objects.filter(id__gt=3) # id >= 3 res = models.UserInfo.objects.filter(id__gte=3) # id < 3 res = models.UserInfo.objects.filter(id__lt=3) # id <= 3 res = models.UserInfo.objects.filter(id__lte=3) # id != 3 res = models.UserInfo.objects.exclude(id=3) # id = 2 and name = "zekai" res = models.UserInfo.objects.filter(id=2,name="zekai") # or from django.db.models import Q res = models.UserInfo.objects.filter(Q(id__gt=3|Q(name='zekai')))2. The identity of the operator is in, not in
in res = models.UserInfo.objects.filter(id__in=[2,3,4]) not in res = models.UserInfo.objects.exclude(id__in=[2,3,4])3. between...and
res = models.UserInfo.objects.filter(id__range=[1,2,3,4])4. like
# 以'ze'开头 res = models.UserInfo.objects.filter(name__startswith='ze') # g: 全局 global i:忽略大小写 ignore 以ze开头,且忽略大小写 res = models.UserInfo.objects.filter(name__istartswith='ze') # 以'ze'结尾 res = models.UserInfo.objects.filter(name__endswith='ze') res = models.UserInfo.objects.filter(name__iendswith='ze') # 包含ze的 res = models.UserInfo.objects.filter(name__contains='ze') res = models.UserInfo.objects.filter(name__icontains='ze')5. count
res = models.UserInfo.objects.filter(id__gt=3).count()6. order by。
# 数据以id升序 res = models.UserInfo.objects.all().order_by('id') # 数据以id降序 res = models.UserInfo.objects.all().order_by('-id') # 数据以id降序,id相同的话 以age升序 res = models.UserInfo.objects.all().order_by('-id','age')7. group by
# 导入模块 from django.db.models import Avg, Sum, Max, Min, Count # res = models.UserInfo.objects.values("name").annotate(s=Sum('age')) res = models.UserInfo.objects.values("name").annotate(s=Sum('age')).filter(s__gt=50)8. limit
# 从第10行开始取,取到20行 all()就是一个列表。因此[10:20]就是一个切片 res = models.UserInfo.objects.all()[10:20]9. last
# 取最后一行数据 res = models.UserInfo.objects.last()10. only
# 仅取name这列数据,(id默认会被取进去) res = models.UserInfo.objects.only('name')11. defer
# 排除name这列数据,其他列的数据都会取进去,(id默认会被取进去) res = models.UserInfo.objects.defer('name')12. F (batch operation data column)
from django.db.models import F # 对UserInfo表中age列的所有数据 加 1 res = models.UserInfo.objects.update(age=F('age')+1)13. native sql
1. Use extra method
''' 解释:结果集修改器,一种提供额外查询参数的机制 说明:依赖model模型 ''' 用在where后: Book.objects.filter(publisher_id="1").extra(where=["title='python学习1'"]) 用在select后 Book.objects.filter(publisher_id="1").extra(select={"count":"select count(*) from hello_book"})2. Use raw method
''' 解释:执行原始sql并返回模型 说明:依赖model多用于查询 ''' # 用法: book = Book.objects.raw("select * from hello_book") for item in book: print(item.title)3. Execute custom SQL
''' 解释:利用游标执行 导入:from django.db import connection 说明:不依赖model ''' # 用法: from django.db import connection cursor = connection.cursor() #插入 cursor.execute("insert into hello_author(name) values('xiaol')") #更新 cursor.execute("update hello_author set name='xiaol' where id=1") #删除 cursor.execute("delete from hello_author where name='xiaol'") #查询 cursor.execute("select * from hello_author") #返回一行 raw = cursor.fetchone() print(raw) #返回所有 cursor.fetchall()14. distinct
Security attacks
A, xss
XSS is a web application often appear in the computer security vulnerability that allows malicious code into web user to provide to the other pages used by the user. Also the genus injection attack, the injection is essentially the data input into the executable program statements such as these codes include HTML code and client-side scripting.
Second, the harm
- Steal all kinds of user accounts, such as the machine login account, users online banking accounts, various types of administrator accounts
- The ability to control corporate data, including reading, tampering, add, delete sensitive corporate data
- Theft of important company information with commercial value
- Illegal transfers, etc.
Third, the principle:
1, a reflection type attacks xss
一般的浏览器与服务器交互都是,客户端向服务器发送一条请求,类似http://www.bigshop.com/product/list/?q=手机,也就是说客户向目标站点发送了一条查询所有手机的请求,然后服务器向客户端返回相关数据,这是正常的。并且手机这一关键词也会被重新返回给浏览器端的用户,这就使得xss攻击有机可乘。黑客将http://ww.bigshop.com/product/list/?q=这条包含恶意脚本的链接通过某种方式发送给用户,那么用户一旦点击这条链接,就会向目标站点发送查询的请求,这当然是查询不到任何结果,但是这段JavaScript的脚本就会从后台转了一圈又回到浏览器,这样浏览器就会执行这段代码,也就是是获取用户的cookie值。一旦黑客拿到你的cookie值,基本上就相当于可以模拟你的身份。 可以看到,攻击者巧妙地通过反射型XSS的攻击方式,达到了在受害者的浏览器上执行脚本的目的。由于代码注入的是一个动态产生的页面而不是永久的页面,因此这种攻击方式只在点击链接的时候才产生作用,这也是它被称为非持久型XSS的原因。2, memory type xss attacks
存储型xss攻击与反射型xss攻击的区别在于,xss攻击已经存储在服务器的数据库上,可以长期的返回给浏览器端。例如当客户A在博客园的博客或者评论区写入一段js恶意脚本,这段脚本就会永久存储到博客园的数据库,一旦当有其他用户请求查看这条博客或者评论,博客园就会将相应的数据返回给用户,当然这段js恶意脚本也会被返回给用户的浏览器并执行。Fourth, protection
- Character filtering: the user's request, whether or url contents of the form are submitted and to check the length of the special characters to filter
- cookie aspects: Avoid into important and sensitive information in a cookie
- Form submission: Try to use the post submission form rather than get way
Not only the user requests the server to get the filter, after the server returns the data to the browser, the browser will again for protection.
Fifth, how should we guard in the django?
django已经为我们做好了防护,因此我们不需要对其进行处理。 另外如果我们解除django的防护措施,只需要在展示用户信息时,使用{{ 展示信息 | safe }}step 1:
Step 2:
Step 3:
Step 4:
Step five:
Step 6:
Prevent XSS attacks
Xss attack is someone enter some html code that can be executed in the input box of the page, for example, use some language modules allow html files infinite loop pop-up windows.
Django comes with a code that prevent xss attacks, not prevent it if you want to add "| safe"
Six other attacks
Django modify the method set out to achieve in two ways:
Method 1: annotate
Method 2: extra