这个 Python 代码容易受到 SQL 注入的影响吗?(SQLite3) [英] Is this Python code vulnerable to SQL injection? (SQLite3)

问题描述

正如标题所暗示的，我想知道这段代码是否容易受到 SQL 注入攻击?如果是这样，是否有更好、更安全的方式来实现同样的目标?

As the title suggests, I would like to know if this code is vulnerable to SQL Injection? And if so, is there a better, more secure, way of achieving the same thing?

def add(table,*args):
    statement="INSERT INTO %s VALUES %s" % (table,args)
    cursor.execute(statement)

推荐答案

是的.使用类似的方法来防止它:

Yes, it is. Use something like this to prevent it:

cursor.execute("INSERT INTO table VALUES ?", args)

请注意，您不能像这样输入表格.理想情况下，表格应该是硬编码的，在任何情况下都不应该来自任何类型的用户输入.您可以使用与您为表格所做的类似的字符串，但您最好 100% 确定用户无法以某种方式更改它...请参阅 我可以在 sqlite3 中使用表名的参数吗? 了解更多详情.

Note that you cannot enter the table in like this. Ideally the table should be hard coded, in no circumstance should it come from a user input of any kind. You can use a string similar to what you did for the table, but you'd better make 100% certain that a user can't change it somehow... See Can I use parameters for the table name in sqlite3? for more details.

本质上，你想把参数放在游标命令中，因为它会确保数据数据库的安全.使用您的第一个命令，制作一个特殊的 table 或 args 将相对容易，将一些不安全的东西放入您的 SQL 代码中.请参阅 python 页面，以及引用的 http://xkcd.com/327/.具体来说，python 页面引用:

Essentially, you want to put the parameters in the cursor command, because it will make sure to make the data database safe. With your first command, it would be relatively easy to make a special table or args that put something into your SQL code that wasn't safe. See the python pages, and the referenced http://xkcd.com/327/ . Specifically, the python pages quote:

通常您的 SQL 操作需要使用 Python 中的值变量.你不应该使用 Python 的字符串来组装你的查询操作，因为这样做是不安全的；它使你的程序容易受到 SQL 注入攻击(请参阅 http://xkcd.com/327/可能出错的幽默例子).

Usually your SQL operations will need to use values from Python variables. You shouldn’t assemble your query using Python’s string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack (see http://xkcd.com/327/ for humorous example of what can go wrong).

相反，使用 DB-API 的参数替换.放 ?作为一个占位符在任何你想使用值的地方，然后提供一个元组值作为游标的 execute() 方法的第二个参数.(其他数据库模块可能使用不同的占位符，例如 %s 或:1.)

Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method. (Other database modules may use a different placeholder, such as %s or :1.)

基本上，有人可以设置一个参数来执行另一个命令，如下所示:

Basically, someone could set an args that executed another command, something like this:

args="name; DELETE table"

使用 cursor.execute 将填充给定的值，以便参数可以被列出，并且当您对其进行查询时，这正是您将得到的.XKCD 也幽默地解释了这一点.

Using cursor.execute will stuff the value given, so that the argument could be as listed, and when you do a query on it, that is exactly what you will get out. XKCD explains this humorously as well.

这篇关于这个 Python 代码容易受到 SQL 注入的影响吗?(SQLite3)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！