sqlite全文搜索中的sql注入 [英] sql injection in sqlite full text search

问题描述

考虑sqlite3 fts4表

consider sqlite3 fts4 table

c.execute("CREATE VIRTUAL TABLE docs USING fts4(content)")    

以下从txt包含字符串的sql注入是否安全?

Is the following safe from sql injection where txt contains a string?

我不确定参数化查询是否安全，因为只有一个参数txt是字符串.

I am not sure if parameterised query is safe or not,since there is only one parameter txt which is a string.

c.execute("SELECT * FROM docs WHERE docs MATCH (?)",(txt,))

推荐答案

是的，它可以安全地进行SQL注入；这就是SQL参数 的含义，以转义并正确引用 txt .

Yes, it is safe from SQL injection; that is what the SQL parameter is for, to escape and quote txt properly.

如果要使用字符串格式("... MATCH('％s')"％txt 或"... MATCH('{}')".format(txt)，然后然后打开一个SQL注入向量，因为您不会在 txt 中转义元字符.

If you were to use string formatting ("... MATCH ('%s')" % txt or " ... MATCH ('{}')".format(txt), then you'd be opening a SQL injection vector, as you wouldn't be escaping meta characters in txt.

这篇关于sqlite全文搜索中的sql注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！