Foreword
The first web loopholes than sql, no matter which language to use for web back-end development, just use a relational database, you may encounter problems sql injection attacks. So sql injection in Python web development process is how it appears, is how to solve this problem?
Of course, I do not want to discuss here how other languages to avoid sql injection, and various methods of online about PHP-injection has, Python's method is actually similar, for example, here I said.
Due
The most common causes of vulnerability resulting string concatenation is, of course, sql injection is not just splice case, as well as wide Byte injection, escape special characters, and so are many, here to talk about the most common character string splicing, which is the primary programmer most likely to commit errors.
First, we define a class to handle the operation of mysql
This class is there a problem?
The answer is: Yes!
This class is flawed, it is likely to cause sql injection, the following will have to talk about why sql injection.
In order to verify the authenticity of the problem, here to write a method to invoke the above that class inside the method, if an error occurs directly thrown.
This method is very simple, one of the most common select query, use the most simple string concatenation composition sql statement, it is clear that the incoming parameters testUrl controlled, in order to be injected into the test, just behind the increase in value of testUrl quotes can be carried out on a single sql injection test, this much said, there is certainly injection vulnerabilities, to run the script again to see what results
(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''t.tips''' at line 1")
Echo error, the error is very familiar, where I passed the test parameters are
t.tips'
Here again lead to the injection of one kind of the above method is slightly modified
This method which does not directly use string concatenation, but instead of using the% s parameter to be passed, appears to be not very much like a precompiled sql? That such an approach can not prevent sql injection it? Test will know, echoing as follows
(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''t.tips''' at line 1")
And the above test results the same, so this method it is not enough, but this method is not precompiled sql statement, then how can we prevent sql injection do it?
solve
Two programs
1> incoming encode parameters escaped
2> use the Python method with the module MySQLdb
The first scenario actually have, to escape special characters or filter in which a lot of PHP-injection method.
The second option is to use internal methods, which are similar to PHP PDO, where a simple modification to the database of the above categories.
The revised Code
Here, when executed execute two arguments, the first is a parametric sql statement, the second is the corresponding actual parameter values, internal functions have passed parameter value corresponding processing to prevent sql injection, the actual the method used was as follows
preUpdateSql = "UPDATE `article` SET title=%s,date=%s,mainbody=%s WHERE id=%s"
mysql.insert(preUpdateSql, [title, date, content, aid])
This prevents sql injection, after passing a list, the list is MySQLdb module internal sequence into a tuple, then escape operation.
