Python最佳实践和最安全的方法来连接到MySQL和执行查询 [英] Python best practice and securest to connect to MySQL and execute queries
问题描述
在mysql上运行查询的最安全方法是什么,我知道MySQL和SQL注入涉及的危险.
What is the safest way to run queries on mysql, I am aware of the dangers involved with MySQL and SQL injection.
但是,我不知道如何运行查询以防止注入其他用户(Web客户端)可以操纵的变量.我曾经编写自己的转义函数,但显然这是未完成"的.
However I do not know how I should run my queries to prevent injection on the variables to which other users (webclients) can manipulate. I used to write my own escape function, but apparently this is "not-done".
我应该使用什么,以及如何使用它来通过python在MySQL数据库上安全地进行查询和插入,而又不会冒着注入mysql的风险?
What should I use and how should I use it to query and do inserts safely on a MySQL database through python without risking mysql injection?
推荐答案
为避免注入,请使用execute
和%s
代替每个变量,然后通过列表或元组将值作为<的第二个参数传递c0>.这是文档中的示例:
To avoid injections, use execute
with %s
in place of each variable, then pass the value via a list or tuple as the second parameter of execute
. Here is an example from the documentation:
c=db.cursor()
max_price=5
c.execute("""SELECT spam, eggs, sausage FROM breakfast
WHERE price < %s""", (max_price,))
请注意,这使用的是逗号,而不是%(这是直接字符串替换,不会转义). 不要这样做:
Note that this is using a comma, not % (which would be a direct string substitution, not escaped). Don't do this:
c.execute("""SELECT spam, eggs, sausage FROM breakfast
WHERE price < %s""" % (max_price,))
此外,如果参数是字符串,则不需要在位置持有人('%s'
)周围加上引号.
In addition, you don't need the quotes around the position holder ('%s'
) if the parameter is a string.
这篇关于Python最佳实践和最安全的方法来连接到MySQL和执行查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!