改进 SQL INSERT 查询以避免 sql 注入
Improve SQL INSERT query to avoid sql injections
我正在使用 pymyql/mysql-connector 将消息写入 mysql 数据库。消息在来自 mqtt broker.I 的回调(paho.mqtt 回调)上处理,有 4 个不同的表,根据消息类型,我将消息插入数据库。我已经编写了如下插入查询。这种写法导致 sql 注入 seems.Any 建议如何改进插入查询语句?
# callback attached to paho.mqtt.client
def on_message(self, client, userdata, msg):
if msg.topic.startswith("topic1/"):
self.bulkpayload += "(" + msg.payload.decode("utf-8") + "," + datetime + "),"
elif msg.topic.startswith("topic2/"):
self.insertStatement += "INSERT INTO mydatabase.table1 VALUES (" + msg.payload.decode("utf-8") + "," + datetime + ");"
elif msg.topic.startswith("topic3/")
self.insertStatement += "INSERT INTO mydatabase.table2 VALUES (" +msg.payload.decode("utf-8") + "," + datetime + ");"
elif msg.topic.startswith("messages"):
self.insertStatement += "INSERT INTO mydatabase.table3 VALUES ('" + msg.topic + "'," + msg.payload.decode("utf-8") + "," + datetime + ");"
else:
return # do not store in DB
cursor.execute(self.insertStatement)
cursor.commit()
使您的查询使用参数。注射几率大大降低:
cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))
信用(和更多信息)在这里:How to use variables in SQL statement in Python?
此外,Dan Bracuk 是正确的 - 如果您还没有
,请确保在执行 SQL 之前验证您的参数
我正在使用 pymyql/mysql-connector 将消息写入 mysql 数据库。消息在来自 mqtt broker.I 的回调(paho.mqtt 回调)上处理,有 4 个不同的表,根据消息类型,我将消息插入数据库。我已经编写了如下插入查询。这种写法导致 sql 注入 seems.Any 建议如何改进插入查询语句?
# callback attached to paho.mqtt.client
def on_message(self, client, userdata, msg):
if msg.topic.startswith("topic1/"):
self.bulkpayload += "(" + msg.payload.decode("utf-8") + "," + datetime + "),"
elif msg.topic.startswith("topic2/"):
self.insertStatement += "INSERT INTO mydatabase.table1 VALUES (" + msg.payload.decode("utf-8") + "," + datetime + ");"
elif msg.topic.startswith("topic3/")
self.insertStatement += "INSERT INTO mydatabase.table2 VALUES (" +msg.payload.decode("utf-8") + "," + datetime + ");"
elif msg.topic.startswith("messages"):
self.insertStatement += "INSERT INTO mydatabase.table3 VALUES ('" + msg.topic + "'," + msg.payload.decode("utf-8") + "," + datetime + ");"
else:
return # do not store in DB
cursor.execute(self.insertStatement)
cursor.commit()
使您的查询使用参数。注射几率大大降低:
cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))
信用(和更多信息)在这里:How to use variables in SQL statement in Python?
此外,Dan Bracuk 是正确的 - 如果您还没有
,请确保在执行 SQL 之前验证您的参数