Django，如果使用原始SQL，应采取哪些步骤来避免SQL注入攻击? [英] Django,if using raw SQL, what steps should I take to avoid SQL injection attacks?

问题描述

我已经阅读到ORM应该将SQL注入攻击的可能性降到最低.但是在Django中，有时ORM受到一定限制，我需要使用原始SQL.我应该采取什么步骤来避免SQL注入攻击?

I have read that ORM's should minimise the possibilities of SQL injection attacks. However in Django, sometimes the ORM is somewhat limited, and I need to use raw SQL. What steps should I take to avoid SQL injection attacks?

目前，我想检查一下查询字符串中的分号，但没有其他内容.如果我使用参数化查询，是否可以解决问题?是否有任何库可以将该字符串传递给我，以便我对其进行检查?

Currently I would know to check for semicolons in the query string, but not much else. If I use parametrised queries, will this solve the problem? Are there any libraries to pass the string to, that will check it for me?

推荐答案

文档说明以下内容:

如果需要执行参数化查询，则可以使用参数 raw()的参数:

>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])

params 是参数的列表或字典.您将使用％s 列表的查询字符串中的占位符，或％(key)s 占位符对于字典(其中的键由字典的键替换，当然)，无论您的数据库引擎是什么.此类占位符将是替换为params参数中的参数.

params is a list or dictionary of parameters. You’ll use %s placeholders in the query string for a list, or %(key)s placeholders for a dictionary (where key is replaced by a dictionary key, of course), regardless of your database engine. Such placeholders will be replaced with parameters from the params argument.

这也是使用Python的DB-API传递参数的标准方法，可以正确清理查询.

This is also the standard way to pass parameters using Python's DB-API, which will sanitize your queries correctly.

无论您做什么，都不要进行字符串插值.

Whatever you do, don't do string interpolation.

这篇关于Django，如果使用原始SQL，应采取哪些步骤来避免SQL注入攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！