请让我知道以下代码100%阻止python中的SQL注入
样本1
username = request.GET('username') # non-filtered user input
connection.execute("SELECT id,name,email FROM user WHERE username=%s LIMIT 1", (username,))
样品2
username = request.POST('username') # non-filtered user input
name = request.POST('name') # non-filtered user input
email = request.POST('email') # non-filtered user input
connection.execute("UPDATE user SET name=%s, email= %s WHERE username=%s LIMIT 1", (name, email, username,))
答案 0 :(得分:2)
%s的概念是将数据与查询隔离开来。传递两个参数时,它们将合并到模块中。它旨在减轻注射,但我会犹豫不决说“100%”
编辑:比我自己更聪明(甚至可能是现实生活中的安全专家!)在这里称重: https://security.stackexchange.com/questions/15214/are-prepared-statements-100-safe-against-sql-injection