SQLAlchemy-session.execute和bindparams问题-sqlalchemy.exc.OperationalError:(sqlite3.OperationalError)

时间:2019-05-03 16:01:24

标签: python sqlalchemy

此代码绝对可以正常工作,但容易受到SQL注入的攻击... 

### WORKS FINE ###
value = "whatever"
statement = text(f"DROP VIEW {value}")
session.execute(statement)

...因此我想使用bindparam(s)进行保护,但是我无法终生使用上面给出的DROP VIEW语句来完成此工作。 

### DOES NOT WORK ###
value = "whatever"
statement = text("DROP VIEW :value").bindparams(bindparam("value", String))
session.execute(statement, { "value": value })

错误

Traceback (most recent call last):   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/base.py", line 1236, in _execute_context
    cursor, statement, parameters, context   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/default.py", line 536, in do_execute
    cursor.execute(statement, parameters) sqlite3.OperationalError: near "?": syntax error

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/some_directory/some_file.py", line 10, in _do_sql
    result = session.execute(statement, { "value": value })   File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/orm/session.py", line 1263, in execute clause, params or {}   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/base.py", line 980, in execute
    return meth(self, multiparams, params)   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/sql/elements.py", line 273, in _execute_on_connection
    return connection._execute_clauseelement(self, multiparams, params)   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/base.py", line 1099, in _execute_clauseelement
    distilled_params,   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/base.py", line 1240, in _execute_context
    e, statement, parameters, cursor, context   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/base.py", line 1458, in _handle_dbapi_exception
    util.raise_from_cause(sqlalchemy_exception, exc_info)   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/util/compat.py", line 296, in raise_from_cause
    reraise(type(exception), exception, tb=exc_tb, cause=cause)   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/util/compat.py", line 276, in reraise
    raise value.with_traceback(tb)   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/base.py", line 1236, in _execute_context
    cursor, statement, parameters, context   
  File "/some_directory/venv/lib/python3.6/site-packages/sqlalchemy/engine/default.py", line 536, in do_execute
    cursor.execute(statement, parameters) 
sqlalchemy.exc.OperationalError: (sqlite3.OperationalError) near "?": syntax error [SQL: 'DROP VIEW ?'] [parameters: ('whatever',)] (Background on this error at: http://sqlalche.me/e/e3q8)

起初,我以为语法或机制错误,但是我可以使用WHERE子句使事情正常进行。 

### WORKS FINE ###
value = "whatever"
statement = text("SELECT * FROM tbl WHERE column = :value").bindparams(bindparam("value", String))
result = session.execute(statement, { "value": value })

也许SQLAlchemy并非如此设计。

0 个答案:

没有答案
相关问题
最新问题