SQLAlchemy查询容易受到注入攻击？ [英] Is a SQLAlchemy query vulnerable to injection attacks?

问题描述

我有下面的查询，使用像来搜索博客。如果我这样做，我不确定自己是否容易受到SQL注入攻击。 SQLAlchemy是如何处理这个的？是否安全？

I have the following query that uses like to search a blog. I am not sure if I'm making myself vulnerable to a SQL injection attack if I do this. How is SQLAlchemy handling this? Is it safe?

search_results = Blog.query.with_entities(Blog.blog_title).filter(Blog.blog_title.like("%"+ searchQuery['queryText'] +"%")).all()

推荐答案

无论您使用的是哪种数据库（sqlite3，psycopg2等），底层的db-api库都会转义参数。 SQLAlchemy只是将语句和参数传递给 execute ，驱动程序做任何需要的。假设你不是自己编写包含参数的原始SQL，那么你不容易被注入。你的例子不容易注射。

The underlying db-api library for whatever database you're using (sqlite3, psycopg2, etc.) escapes parameters. SQLAlchemy simply passes the statement and parameters to execute, the driver does whatever is needed. Assuming you are not writing raw SQL that includes parameters yourself, you are not vulnerable to injection. Your example is not vulnerable to injection.

这篇关于SQLAlchemy查询容易受到注入攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！