sql转义模块 [英] sql escaping module

问题描述

刚接触pgdb，我发现有很多东西我不明白

当我阅读PEP和pgdb上的稀疏文档时。


我希望有一个模块可以正确地逃避更长的文本

字符串以防止sql注入 - 而其他的东西只是确保

python string对象最终成为postgresql的正确类型。我已经在postgresql上购买了3本书，而没有任何代码示例证明这一点。


网页搜索''python sql escape string''yeild结果太多了。


任何指针都会非常感激。


-

David Bear

- 让我购买你的知识产权，我想拥有你的想法 -

Being new to pgdb, I''m finding there are lot of things I don''t understand
when I read the PEP and the sparse documentation on pgdb.

I was hoping there would be a module that would properly escape longer text
strings to prevent sql injection -- and other things just make sure the
python string object ends up being a properly type for postgresql. I''ve
bought 3 books on postgresql and none of th code samples demonstrate this.

web searchs for ''python sql escape string'' yeild way too many results.

Any pointers would be greatly appreciated.

--
David Bear
-- let me buy your intellectual property, I want to own your thoughts --

推荐答案

David Bear写道：

David Bear wrote:

作为pgdb的新手，当我阅读PEP和pgdb上的稀疏文档时，我发现有很多我不理解的东西。

我希望有一个模块可以正确地逃避更长的文本字符串以防止sql注入 - 而其他事情只是确保
python字符串对象最终成为一个正确的类型对于postgresql。我已经在postgresql上买了3本书，并且没有任何代码示例证明这一点。

网页搜索''python sql escape string''结果太多了。

任何指针都将不胜感激。

Being new to pgdb, I''m finding there are lot of things I don''t understand
when I read the PEP and the sparse documentation on pgdb.

I was hoping there would be a module that would properly escape longer text
strings to prevent sql injection -- and other things just make sure the
python string object ends up being a properly type for postgresql. I''ve
bought 3 books on postgresql and none of th code samples demonstrate this.

web searchs for ''python sql escape string'' yeild way too many results.

Any pointers would be greatly appreciated.

for x in range（1000000）：

print" USE PARAMETERS TO通过数据库的价值


< / F>

for x in range(1000000):
print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"

</F>

Fredrik Lundh写道：

Fredrik Lundh wrote:

web搜索''python sql escape string''结果太多结果。

任何指针都会非常感激。

web searchs for ''python sql escape string'' yeild way too many results.

Any pointers would be greatly appreciated.

对于范围内的x（1000000）：
打印使用参数来通过数据库

for x in range(1000000):
print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"

例如，请参阅清单2。在以下文章中：

http ：//www.amk.ca/python/writing/DB-API.html


（该示例中使用的数据库使用？参数样式你的数据库

可能更喜欢另一种风格;查看paramstyle变量。查看数据库API规范

获取描述）


（该文章的linuxjournal版本是从pygresql网站链接的）


< / F>

for an example, see "listing 2" in the following article:

http://www.amk.ca/python/writing/DB-API.html

(the database used in that example uses the "?" parameter style. your database
may prefer another style; check the paramstyle variable. see the DB API spec
for a descriptoin)

(a linuxjournal version of that article is linked from the pygresql site)

</F>

David Bear< da ******** @ asu.edu>写道：

David Bear <da********@asu.edu> wrote:

pgdb的新手，我发现有很多东西我不明白
当我读到PEP和pgdb上的稀疏文档时。

我希望有一个模块可以正确地逃避更长的文本字符串以防止sql注入 - 而其他的东西只是确保
python字符串对象结束是postgresql的正确类型。我已经在postgresql上买了3本书，并且没有任何代码示例证明这一点。

Being new to pgdb, I''m finding there are lot of things I don''t understand
when I read the PEP and the sparse documentation on pgdb.

I was hoping there would be a module that would properly escape longer text
strings to prevent sql injection -- and other things just make sure the
python string object ends up being a properly type for postgresql. I''ve
bought 3 books on postgresql and none of th code samples demonstrate this.

所有的Python数据库模块都会为你做这个保护。

示例：


db = psycopg2.connect（database =''dbname''）

c = db.cursor（ ）

c.execute（" INSERT INTO table1 VALUES（％s，％s，％s）;"，（var1，var2，var3））


请注意，我使用了逗号，而不是Python％运算符，并且我没有在查询中完成任何引用。通过这样做，我指示

数据库模块执行我已经传递的

值可能需要的任何保护性引用，并将引用的值替换为字符串。


只要您使用该方案，您就应该安全注射。只有当人们试图自己解决它们遇到麻烦时，它才会是
，例如：


c.execute（" INSERT INTO table1 VALUES（''％s''，''％s''，''％s''）;"％（var1，var2，

var3））＃这是错误的

-

- Tim Roberts， ti**@probo.com

Providenza& Boekelheide，Inc。

All of the Python database modules will do this protection for you.
Example:

db = psycopg2.connect(database=''dbname'')
c = db.cursor()
c.execute( "INSERT INTO table1 VALUES (%s,%s,%s);", (var1, var2, var3) )

Note that I have used a "comma", not the Python % operator, and I have not
done any quoting in the query. By doing that, I am instructing the
database module to do whatever protective quoting may be required for the
values I have passed, and substitute the quoted values into the string.

As long as you use that scheme, you should be safe from injection. It''s
only when people try to do it themselves that they get in trouble, as in:

c.execute( "INSERT INTO table1 VALUES (''%s'',''%s'',''%s'');" % (var1, var2,
var3) ) # THIS IS WRONG

--
- Tim Roberts, ti**@probo.com
Providenza & Boekelheide, Inc.

这篇关于sql转义模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！