创建一个易受攻击的Django搜索栏

时间:2017-11-16 20:35:19

标签: django sql-injection

我想创建一个易受攻击的搜索栏并完成所有操作但不幸的是,当我按提交时,搜索功能不会显示任何结果。 但终端显示成功,“POST / injection / HTTP / 1.1”200 596

views.py
    @csrf_exempt
    def search_form(request):
        if 'searchField' in request.POST:
            query= "SELECT * FROM injection_search WHERE injection_search.name LIKE '%searchField%'"
            print(query)
            item = search.objects.raw(query)

        else:
            item = search.objects.all()     
        return render(request, 'home.html', {'item' : item})

template/home.html

{% load static %} 
<link href="{% static 'css/style.css' %}" rel="stylesheet"></link>
<h1 class="page-header">INJECTION</h1>

<form action="" method="POST">
<input type="text" name="searchField" id="searchField" placeholder="search trainers..">
<button  type="submit">Find</button>
</form>

<h1> Search Page </h1>
<h3> Injection demo</h3>
<div class="shopping-container">

    <table border="3" cellspacing="0" cellpadding="10">
        <tbody>
           <tr>
              <th>Title</th>
              <th>Description</th>
              <th>Quantity</th>
           </tr>
           <!--{% for search in item %}-->
           <tr>
            <td>{{ search.name}}</td>
            <td>{{ search.description }}</td>
            <td>{{ search.price}}</td>
          </tr>
          <!--{%endfor%}-->
  </tbody>
    </table>
</div>

model.py
app_name = 'injection'
urlpatterns = [
    url(r'^$', views.index, name='index'),
    url(r'^injection/$', views.search_form, name='search_form'),
]

1 个答案:

答案 0 :(得分:0)

这也不适用于PHP,因为你在SQL字符串中没有使用变量。您只是使用文字值“searchField”。

为了使代码正常工作,您实际需要将字符串的值放入SQL命令中。在Python中有多种方法可以做到这一点,例如:

query= "SELECT * FROM injection_search WHERE injection_search.name LIKE '%{}%'".format(searchField)