使用 web.py 的 web.database 时应该如何防止滥用? [英] How should I prevent abuse when using web.py's web.database?

问题描述

我正在编写一个快速的 web.py 应用程序并从 web.input 中获取数据...

I'm writing a quick web.py app and take data from web.input...

import web
urls = (
    '/', 'something',
)
app = web.application(urls, globals())
db = web.database(dbn='postgres', db='database', user='username', password='password', host='127.0.0.1')
class something:
    def GET(self):
        i = web.input()
        return db.select('foo.table', where="column=$variable", vars={'variable':i.input, })
if __name__ == "__main__": app.run()

作为 vars 的一部分，我是否应该担心将 i.input 传递给 db.select(或查询等)?SQL注入可能性等?

Should I worry about passing i.input to db.select (or query etc.) as I do as part of vars? SQL injection possibilities etc. ?

我自己一直在玩这个，试图让一些讨厌的事情发生.例如，玩引用，http://localhost:8080/?id=13' 或 'x' ='x 导致很好地转义 sql 显示在异常中:

I have been playing around with this myself, trying to get something nasty happenning. Playing with quoting for example, http://localhost:8080/?id=13' or 'x' ='x results in nicely escaped sql being shown in Exceptions:

<sql: 'select * from foo.table where id = "13\' or \'x\'=\'x"'>

我已经尝试了互联网提出的其他一些常见测试，并且认为我很高兴 web.py 正在处理消毒...还有其他人可以发表评论吗?

I've tried a few other common tests that the internet puts forward and think I'm quite happy web.py is dealing with the sanitisation... Would anyone else be able to comment?

推荐答案

http://webpy.org/cookbook/查询说:

为了防止 SQL 注入攻击，db.query 也接受vars"db.select 中描述的语法:

To prevent SQL injection attacks, db.query also accepts the "vars" syntax as described in db.select:

results = db.query("SELECT * FROM users WHERE id=$id", vars={'id':10})

如果您信任他们的id"，这将转义用户输入变量.

This will escape user input, if you're trusting them for the "id" variable.

所以我想就这么简单.

当然，我意识到如果我要插入它，我仍然需要验证用户输入......

Of course I realise that I still need to validate user input if I'm going to be inserting it places...

这篇关于使用 web.py 的 web.database 时应该如何防止滥用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！