我有一个我正在编写的类,它允许用于对postGIS表执行各种空间分析。因此,用户必须能够通过名称选择它们,这是我从参数中获得的。我理解允许用户输入这样的危险,但我没有选择。
我确保提前使用其他功能清理表名。我这样做是通过检查该参数的输入字符串是否与数据库中检索到的表名列表相匹配。然后我使用AsIs()传递它,我知道不推荐它,但就像我说的那样,我提前验证了表名,看它是否是数据库中的现有表。但我仍然在参数左边,一个代表空间坐标系的代码。
我正在尝试自己写注射,看看这是否是一个问题。我没有使用AsIs()这个变量,但我是偏执狂,并希望确保它是安全的。我无法传递一个能够执行注入的变量(我尝试删除一个名为" deletetest")的传说。
这是我的代码:
class myClass(object):
def __init__(self, conn_string, srid):
self.connString = conn_string
self.conn = psycopg2.connect(self.connString)
self.srid = srid
return None
def sanitized(self, input_text):
"""
Makes sure that the input matches an existing table name to make sure that the input name is not an SQL
injection attempt. True if the table name is found, False if not.
:param input_text: String to be sanitized.
:return: boolean
"""
query = "SELECT relname FROM pg_class WHERE relkind='r' AND relname !~ '^(pg_|sql_)';"
cur = self.conn.cursor()
cur.execute(query)
for tbl in [i[0] for i in cur.fetchall()]:
if input_text == tbl:
return True
return False
def interallocate(self, features):
if self.sanitized(features):
query = """
DROP TABLE IF EXISTS parking_lots_interallocation_result;
CREATE TABLE parking_lots_interallocation_result (pk_id SERIAL PRIMARY KEY, from_pl_id varchar(50), to_pl_id varchar(50), distance real);
SELECT AddGeometryColumn('public', 'parking_lots_interallocation_result', 'geom', %(srid)s, 'LINESTRING', 2);
DROP TABLE IF EXISTS interallocation_duplicate;
CREATE TABLE interallocation_duplicate AS TABLE %(features)s;
INSERT INTO parking_lots_interallocation_result (from_pl_id, to_pl_id, distance, geom)
SELECT
%(features)s.pl_id AS from_pl_id,
interallocation_duplicate.pl_id AS to_pl_id,
ST_Distance(%(features)s.geom, interallocation_duplicate.geom) AS distance,
ST_ShortestLine(%(features)s.geom, interallocation_duplicate.geom) AS geom
FROM
%(features)s
LEFT JOIN
interallocation_duplicate ON ST_DWithin(%(features)s.geom, interallocation_duplicate.geom, 700)
WHERE
interallocation_duplicate.pl_id IS NOT NULL AND %(features)s.pl_id != interallocation_duplicate.pl_id
ORDER BY
%(features)s.pl_id,
ST_Distance(%(features)s.geom, interallocation_duplicate.geom);
"""
print(query)
cur = self.conn.cursor()
cur.execute(query, {
'features': AsIs(features), # Can use AsIs because we made sure that this string matches an existing table name.
'srid': self.srid})
self.conn.commit()
else:
raise KeyError('Table {0} was not found.'.format(features))
据我所知,使用cur.execute()应该清理输入,并使用AsIs()绕过这一步。但我想得到其他意见,知道这是否仍然可以注射。
答案 0 :(得分:1)
使用sql module:
features = 'Table_Name'
insert_query = sql.SQL("""
INSERT INTO parking_lots_interallocation_result (from_pl_id, to_pl_id, distance, geom)
SELECT
{0}.pl_id AS from_pl_id,
interallocation_duplicate.pl_id AS to_pl_id,
ST_Distance({0}.geom, interallocation_duplicate.geom) AS distance,
ST_ShortestLine({0}.geom, interallocation_duplicate.geom) AS geom
FROM
{0}
LEFT JOIN
interallocation_duplicate ON ST_DWithin({0}.geom, interallocation_duplicate.geom, 700)
WHERE
interallocation_duplicate.pl_id IS NOT NULL AND {0}.pl_id != interallocation_duplicate.pl_id
ORDER BY
{0}.pl_id,
ST_Distance({0}.geom, interallocation_duplicate.geom);
""")
print (insert_query.format(sql.Identifier(features)).as_string(conn))
输出:
INSERT INTO parking_lots_interallocation_result (from_pl_id, to_pl_id, distance, geom)
SELECT
"Table_Name".pl_id AS from_pl_id,
interallocation_duplicate.pl_id AS to_pl_id,
ST_Distance("Table_Name".geom, interallocation_duplicate.geom) AS distance,
ST_ShortestLine("Table_Name".geom, interallocation_duplicate.geom) AS geom
FROM
"Table_Name"
LEFT JOIN
interallocation_duplicate ON ST_DWithin("Table_Name".geom, interallocation_duplicate.geom, 700)
WHERE
interallocation_duplicate.pl_id IS NOT NULL AND "Table_Name".pl_id != interallocation_duplicate.pl_id
ORDER BY
"Table_Name".pl_id,
ST_Distance("Table_Name".geom, interallocation_duplicate.geom);