防止以Django形式进行SQL注入 [英] prevent SQL injection in django forms
问题描述
我将其用于验证:
class MyValidationForm(forms.Form):
title = forms.CharField()
body = forms.Textarea()
taxonomy = forms.IntegerField()
这是我基于类的视图:
class blog_createpost(dashboardBaseViews):
template_name = "dashboardtems/blog_createpost.html"
model = {}
def post(self, request, *args, **kwargs):
form = MyValidationForm(request.POST)
if not form.is_valid():
return HttpResponse("not valid")
new_data = post(title=request.POST['title'],
body=request.POST['body'],
description=request.POST['description'],
taxonomy=get_object_or_404(taxonomy,
pk=request.POST['taxonomy']),
writer=request.user)
new_data.save()
return HttpResponse("done")
就像您看到的那样,我在以下行中检查我收到的请求验证:如果不是form.is_valid():及其正在工作,但是当我添加一些 SQL命令时在我的表单输入中.它不会阻止将值插入数据库!表示我在数据库中有一个字段,其中包含一些值,例如 select * from user where 1 = 1 !.
like you see i check my received request validation in this line: if not form.is_valid(): and its working on but when i add some SQL-command inside my form inputs. it does not preventing to insert the value inside database!..
means i have a field in database which contains some value like select * from user where 1=1!.
doesn't it cause sql-injection danger from user inputs?...
推荐答案
您误解了什么SQL注入意味着.Django已成功保护您免受此类攻击,字符串"select * from from where 1 = 1"的用户被视为数据,而不是命令,并最终作为数据库中的值.
You have misunderstood what SQL injection means. Django has successfully protected you from such an attack, the string "select * from user where 1=1" is being treated as data, not as a command, and ended up as a value in the database.
SQL注入攻击更改数据库正在执行的SQL .成功的攻击会欺骗数据库,使其代替命令来执行数据.您最终不会获得 select * from user where 1 = 1 作为值,而是最终导致攻击者可以访问 user 表中的所有结果
A SQL injection attack alters the SQL that is being executed by the database. A successful attack tricks the database into executing data as commands instead. You'd not end up with select * from user where 1=1 as a value, but instead you end up with the attacker getting access to all results from the user table.
一个典型的错误是无法通过将SQL命令构造为字符串来正确地转义数据.可以说服务器使用以下查询来查找当前用户的数据:
A classic error is to not properly escape data, by constructing the SQL command as a string. Lets say the server uses the following query to look up data for the current user:
SELECT * FROM user WHERE username='$user_id'
其中 $ user_id 来自请求.通常,这将是一个登录名,例如
where $user_id comes from the request. Normally that'd be a login name, say
user_id = "zopatista"
因此查询变为
SELECT * FROM user WHERE username='zopatista'
如果服务器不能防范SQL注入攻击,则攻击者可以替换 user_id 和注入更多SQL命令:
If the server does not protect against SQL injection attacks, an attacker can replace user_id and inject more SQL commands:
user_id = "zopatista' OR 1=1 -- "
因此,在将该字符串简单地插入查询中之后,现在服务器将向数据库发送以下SQL:
so after simply interpolating that string into the query, now the server will send the following SQL to the database:
SELECT * FROM user WHERE username='zopatista' OR 1=1 -- '
查询命令的含义突然改变,并且数据库将返回所有行,而不仅仅是返回与登录名匹配的一行.
and suddenly the meaning of the query command has changed and the database will return all rows rather than just one row matching the login name.
关于SQL注入的经典XKCD笑话进一步走了一步,注入了删除了整个表,而不是尝试获取更多信息.
The classic XKCD joke on SQL injection goes a step further and injects SQL code that deletes the whole table, rather than try to get access to more information.
防止SQL注入的服务器将确保始终对用户提供的数据进行参数化处理,将其与查询分开发送至数据库驱动程序,以确保永远不会将其视为其中的一部分查询.
A server protecting against SQL injection will make sure that user-provided data is always parameterised, sending the data to the database driver separately from the query to make sure it can never be seen as part of the query.
只要您使用Django的模型和查询集,就可以免受SQL注入攻击.如果您混用
As long as you use Django's models and querysets, you'll be protected from SQL injection attacks. You would only be at risk if you mixed extra() or RawSQL() with user data without using their parameter features.
这篇关于防止以Django形式进行SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
