Preface
The number one web vulnerability is SQL. No matter which language is used for web back-end development, as long as relational database is used, SQL injection attacks may be encountered. question. So how does SQL injection appear during Python web development, and how to solve this problem?
Of course, I don’t want to discuss how other languages avoid sql injection. There are various methods for PHP injection prevention on the Internet. Python’s method is actually similar. Here Let me give you an example.
Cause
The most common cause of the vulnerability is stringsplicing. Of course, sql injection is not just a case of splicing, there are also things like wide bytes There are many types of injection, special charactersescaping, etc. Here we will talk about the most common string splicing, which is also the most common mistake for junior programmers.
First we define a class to handle mysql operations
class Database:
hostname = '127.0.0.1'
user = 'root'
password = 'root'
db = 'pythontab'
charset = 'utf8'
def init(self):
self.connection = MySQLdb.connect(self.hostname, self.user, self.password, self.db, charset=self.charset)
self.cursor = self.connection.cursor()
def insert(self, query):
try:
self.cursor.execute(query)
self.connection.commit()
except Exception, e:
print e
self.connection.rollback()
def query(self, query):
cursor = self.connection.cursor(MySQLdb.cursors.DictCursor)
cursor.execute(query)
return cursor.fetchall()
def del(self):
self.connection.close()Is there a problem with this class?
The answer is: Yes!
This class is defective and can easily cause SQL injection. Let’s talk about why SQL injection occurs.
In order to verify the authenticity of the problem, here is a method to call the method in the above class. If an error occurs, an exception will be thrown directly.
def test_query(testUrl):
mysql = Database()
try:
querySql = "SELECT * FROM `article` WHERE url='" + testUrl + "'"
chanels = mysql.query(querySql)
return chanels
except Exception, e:
print eThis method is very simple. One of the most common selectquery statements also uses the simplest string splicing to form a sql statement. It is obvious that the parameter testUrl passed in is controllable. If you want to perform injection testing, you only need to add a single quote after the value of testUrl to perform sql injection testing. Needless to say, there must be an injection vulnerability. Run the script and see what the result is.
(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' 't.tips''' at line 1")
The error message is echoed, a very familiar error. The test parameter I passed in here is
t.tips'
Let’s talk about another situation that leads to injection. After slightly modifying the above method
def test_query(testUrl):
mysql = Database()
try:
querySql = ("SELECT * FROM `article` WHERE url='%s'" % testUrl)
chanels = mysql.query(querySql)
return chanels
except Exception, e:
print eThis method does not use string splicing directly, but uses %s to replace the parameters to be passed in. See Does it look very much like precompiled sql? Can this way of writing prevent sql injection? You will know after testing it. The response is as follows
(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''t.tips' '' at line 1")
is the same as the above test result, so this method is not possible, and this method is not precompiled sql statement, so what can be done to prevent sql injection?
Solution
Two solutions
1> Encoding and escaping the incoming parameters
2> Use the method that comes with Python’s MySQLdb module
The first solution is actually found in many PHP anti-injection methods. Escape or filter special characters.
The second option is to use internal methods, similar to PDO in PHP. Here you can simply modify the above database class.
Modified code
class Database:
hostname = '127.0.0.1'
user = 'root'
password = 'root'
db = 'pythontab'
charset = 'utf8'
def init(self):
self.connection = MySQLdb.connect(self.hostname, self.user, self.password, self.db, charset=self.charset)
self.cursor = self.connection.cursor()
def insert(self, query, params):
try:
self.cursor.execute(query, params)
self.connection.commit()
except Exception, e:
print e
self.connection.rollback()
def query(self, query, params):
cursor = self.connection.cursor(MySQLdb.cursors.DictCursor)
cursor.execute(query, params)
return cursor.fetchall()
def del(self):
self.connection.close()Here two parameters are passed in when execute is executed. The first is a parameterized sql statement, and the second It is the corresponding actual parameter value. The function will process the incoming parameter value accordingly to prevent sql injection. The actual method used is as follows
preUpdateSql = "UPDATE `article` SET title=%s,date=%s,mainbody=%s WHERE id=%s"
mysql.insert(preUpdateSql, [title, date, content, aid])
This can prevent sql injection. After passing in a list, the MySQLdb module will internally serialize the list into a tuple, and then escape operate.
The above is the detailed content of How to prevent sql injection using Python. For more information, please follow other related articles on the PHP Chinese website!
The Main Purpose of Python: Flexibility and Ease of UseApr 17, 2025 am 12:14 AMPython's flexibility is reflected in multi-paradigm support and dynamic type systems, while ease of use comes from a simple syntax and rich standard library. 1. Flexibility: Supports object-oriented, functional and procedural programming, and dynamic type systems improve development efficiency. 2. Ease of use: The grammar is close to natural language, the standard library covers a wide range of functions, and simplifies the development process.
Python: The Power of Versatile ProgrammingApr 17, 2025 am 12:09 AMPython is highly favored for its simplicity and power, suitable for all needs from beginners to advanced developers. Its versatility is reflected in: 1) Easy to learn and use, simple syntax; 2) Rich libraries and frameworks, such as NumPy, Pandas, etc.; 3) Cross-platform support, which can be run on a variety of operating systems; 4) Suitable for scripting and automation tasks to improve work efficiency.
Learning Python in 2 Hours a Day: A Practical GuideApr 17, 2025 am 12:05 AMYes, learn Python in two hours a day. 1. Develop a reasonable study plan, 2. Select the right learning resources, 3. Consolidate the knowledge learned through practice. These steps can help you master Python in a short time.
Python vs. C : Pros and Cons for DevelopersApr 17, 2025 am 12:04 AMPython is suitable for rapid development and data processing, while C is suitable for high performance and underlying control. 1) Python is easy to use, with concise syntax, and is suitable for data science and web development. 2) C has high performance and accurate control, and is often used in gaming and system programming.
Python: Time Commitment and Learning PaceApr 17, 2025 am 12:03 AMThe time required to learn Python varies from person to person, mainly influenced by previous programming experience, learning motivation, learning resources and methods, and learning rhythm. Set realistic learning goals and learn best through practical projects.
Python: Automation, Scripting, and Task ManagementApr 16, 2025 am 12:14 AMPython excels in automation, scripting, and task management. 1) Automation: File backup is realized through standard libraries such as os and shutil. 2) Script writing: Use the psutil library to monitor system resources. 3) Task management: Use the schedule library to schedule tasks. Python's ease of use and rich library support makes it the preferred tool in these areas.
Python and Time: Making the Most of Your Study TimeApr 14, 2025 am 12:02 AMTo maximize the efficiency of learning Python in a limited time, you can use Python's datetime, time, and schedule modules. 1. The datetime module is used to record and plan learning time. 2. The time module helps to set study and rest time. 3. The schedule module automatically arranges weekly learning tasks.
Python: Games, GUIs, and MoreApr 13, 2025 am 12:14 AMPython excels in gaming and GUI development. 1) Game development uses Pygame, providing drawing, audio and other functions, which are suitable for creating 2D games. 2) GUI development can choose Tkinter or PyQt. Tkinter is simple and easy to use, PyQt has rich functions and is suitable for professional development.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
Dreamweaver Mac version
Visual web development tools
Dreamweaver CS6
Visual web development tools
