Python MySQL，这是准备好的语句吗? [英] Python MySQL, is this a prepared statement?

问题描述

我正在设置一个 mysql 应用程序.这是我的 getUsername 方法使用标准 mysqldb 格式连接.这是否意味着它是一个准备好的声明?另外，这段代码安全吗，还是我容易受到 SQL 注入的影响?

I am setting up a mysql app. This is my getUsername method connects using standard mysqldb formatting. Does this mean it is a prepared statement? Also, is this code safe, or am I vulnerable to SQL injection?

def selectUser(userName):
    try:
        username = pickle.loads(base64.decode(userName))
    except:
        username = "admin"
    query = "SELECT name FROM users WHERE name = '%s'"
    conn = MySQLdb.connect('localhost', 'dbAdmin', 'lja8j30lJJal##', 'blog');
    with conn:
        c = conn.cursor()
        c.execute(query, (username,))

推荐答案

否 - 无法在 MySQLdb 中制作准备好的语句.您不会在 _mysql.c 中的 MySQL API 绑定.

No - there is no way to make a prepared statement in MySQLdb. You won't find any mysql_stmt_init(), mysql_stmt_prepare() or mysql_stmt_execute() in the MySQL API binding in _mysql.c.

无论出于何种原因，MySQLdb 的作者选择了模拟参数，而不是使用真正的服务器端准备好的语句.

For whatever reason, the author of MySQLdb chose to simulate parameters instead of using real server-side prepared statements.

为了防止 SQL 注入，MySQLdb 包使用 Python 字符串格式语法.它将动态值插入到 SQL 查询中并应用正确的转义，即在引号字符前添加 \ 以确保动态值不包含字符串分隔符.

To protect against SQL injection, the MySQLdb package uses Python string-format syntax. It interpolates dynamic values into SQL queries and applies correct escaping, i.e. adding \ before quote characters to make sure dynamic values don't contain string delimiters.

查看我对 PyMySQL 的回答防止用户受到 sql 注入攻击? 演示.

但是，如果您需要为数字常量使用动态值，则转义无济于事.

However, escaping doesn't help if you need to use dynamic values for numeric constants.

这篇关于Python MySQL，这是准备好的语句吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！