表名的占位符 [英] placeholder for table name

问题描述

我正在编辑表格。并想问一下表名的占位符。我尝试了很多方法，但是没有用。这样安全吗？

I'm working on editable table. and would like to ask about the placeholder for the table name. I tried many ways but it doesn't work. Is it secure to do this? and how to do it?

我读过很多人对此进行讨论，但这似乎非常复杂。有人可以给我一个简单的答案吗？

I have read a lot of people discuss about this but it seems to be very complicate. Can anyone give me just a simple answer?

id = request.args.get('id')
column = request.args.get('column')
newValue = request.args.get('newValue')

g.db = connect_db()
cur = g.db.execute('UPDATE customer SET %=? WHERE rowid=?', %(column), newValue, id))
g.db.commit()
g.db.close()

推荐答案

安全性取决于您所使用的列和表名称的来源将要使用。如果从不受信任的来源获得它们，可能会导致不安全。无论哪种情况，变量表/列名都不安全，因为对于不存在的表/列可能会发生运行时错误。

Security depends on source of column and table names you're going to use. It can be potentially insecure if you get them from untrusted sources. In either case variable table/column name are not safe in sence of potential runtime errors for non existent tables/columns.

对于您的代码，请勿对占位符使用占位符表或列的名称。原因是，尽管所涉及的表具有不同的绑定变量的SQL相等，但是执行计划等。 （即等效编译），具有不同表名或列的SQL显然不相等。

For your code, one do not use placeholders for a table or column name. The reason is that while SQLs with different bound variables are equal in terms of tables involved, execution plan et.c. (i.e. compiled equivalently), SQLs with different table names or columns are obviously not equal.

您可以按照以下步骤操作：

You can do it like follows:

sql_template = 'UPDATE {table} SET {column}=? WHERE rowid=?'
sql = sql_template.format(table=table_name, column=column_name)
db.execute(sql, (newValue, id))

这篇关于表名的占位符的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！