使用 web.py 的 web.database 时应该如何防止滥用? [英] How should I prevent abuse when using web.py's web.database?
问题描述
我正在编写一个快速的 web.py 应用程序并从 web.input 中获取数据...
I'm writing a quick web.py app and take data from web.input...
import web
urls = (
'/', 'something',
)
app = web.application(urls, globals())
db = web.database(dbn='postgres', db='database', user='username', password='password', host='127.0.0.1')
class something:
def GET(self):
i = web.input()
return db.select('foo.table', where="column=$variable", vars={'variable':i.input, })
if __name__ == "__main__": app.run()
作为 vars 的一部分,我是否应该担心将 i.input 传递给 db.select(或查询等)?SQL注入可能性等?
Should I worry about passing i.input to db.select (or query etc.) as I do as part of vars? SQL injection possibilities etc. ?
我自己一直在玩这个,试图让一些讨厌的事情发生.例如,玩引用,http://localhost:8080/?id=13' 或 'x' ='x 导致很好地转义 sql 显示在异常中:
I have been playing around with this myself, trying to get something nasty happenning. Playing with quoting for example, http://localhost:8080/?id=13' or 'x' ='x results in nicely escaped sql being shown in Exceptions:
<sql: 'select * from foo.table where id = "13\' or \'x\'=\'x"'>
我已经尝试了互联网提出的其他一些常见测试,并且认为我很高兴 web.py 正在处理消毒...还有其他人可以发表评论吗?
I've tried a few other common tests that the internet puts forward and think I'm quite happy web.py is dealing with the sanitisation... Would anyone else be able to comment?
推荐答案
http://webpy.org/cookbook/查询说:
为了防止 SQL 注入攻击,db.query 也接受vars"db.select 中描述的语法:
To prevent SQL injection attacks, db.query also accepts the "vars" syntax as described in db.select:
results = db.query("SELECT * FROM users WHERE id=$id", vars={'id':10})
如果您信任他们的id",这将转义用户输入变量.
This will escape user input, if you're trusting them for the "id" variable.
所以我想就这么简单.
当然,我意识到如果我要插入它,我仍然需要验证用户输入......
Of course I realise that I still need to validate user input if I'm going to be inserting it places...
这篇关于使用 web.py 的 web.database 时应该如何防止滥用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!