How to avoid sql injection in django

Methods to avoid sql injection in Django: 1. Verify user input; 2. Do not use dynamic assembly of sql; 3. Do not store confidential information directly; 4. Application exception information should be given Use as few prompts as possible; 5. Use Dajngo’s ORM to effectively avoid sql injection.

What is SQL injection?

The so-called SQL injection is to insert a SQL command into a Web form to submit or enter a domain name or query string for a page request, and ultimately trick the server into executing malicious SQL commands. Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the backend database engine for execution. It can obtain information on a website with security vulnerabilities by entering (malicious) SQL statements into a web form. database, rather than executing SQL statements as intended by the designer. For example, many previous film and television websites leaked VIP member passwords, mostly by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks.

For example, there is a front_user table in the database now. The table structure is as follows:

class User(models.Model): telephone = models.CharField(max_length=11) username = models.CharField(max_length=100)
 password = models.CharField(max_length=100)

Then we use native sql statements to achieve the following requirements:

1. Implement a view to obtain user details based on user ID. The sample code is as follows:

def index(request): user_id = request.GET.get('user_id') cursor = connection.cursor() cursor.execute('select 
id,username from front_user where id=%s' % user_id) rows = cursor.fetchall() for row in rows: print(row) 
return HttpResponse('success')

This seems to be no problem on the surface. But if the user_id passed by the user is equal to 1 or 1=1, then the above spliced ​​sql statement is:

select id,username from front_user where id=1 or 1=1

The condition of the above sql statement is id=1 or 1=1, as long as id=1 or If one of the two 1=1 is true, then the entire condition is true. There is no doubt that 1=1

is definitely established. Therefore, after executing the above sql statement, all data in the front_user table will be extracted.

2. Implement a view that extracts users based on their username. The sample code is as follows:

def index(request): username = request.GET.get('username') cursor = connection.cursor() cursor.execute('select 
id,username from front_user where username='%s'' % username) rows = cursor.fetchall() for row in rows: print(row) 
return HttpResponse('success')

This seems to be no problem on the surface. But if the username passed by the user is zhiliao' or '1=1, then the sql statement after the above splicing is:

select id,username from front_user where username='zhiliao' or '1=1'

The condition of the above sql statement is username='zhiliao' or a string, nothing Doubt, the judgment of string is definitely established. Therefore, all data in the front_user table will be extracted.

SQL injection defense can be classified into the following points:

The above is the principle of SQL injection. He destroys the original SQL statement by passing some malicious parameters to achieve his own goals. Of course, SQL injection is far from simple. What we are talking about now is just the tip of the iceberg. So how to prevent sql injection?

1. Never trust user input. To verify the user's input, you can use regular expressions or limit the length; convert single quotes and double '-', etc.

2. Never use dynamic assembly of sql. You can use parameterized sql or directly use stored procedures for data query and access. For example:

def index(request): user_id = '1 or 1=1' cursor = connection.cursor() cursor.execute('select id,username from 
front_user where id=%s',(user_id,)) rows = cursor.fetchall() for row in rows: print(row) return HttpResponse('success')

3. Never use a database connection with administrator privileges. Use a separate database connection with limited privileges for each application.

4. Do not store confidential information directly, encrypt or hash passwords and sensitive information.

5. The application's exception information should give as few prompts as possible. It is best to use custom error information to wrap the original error information.

Summary:

1. Use sql statements to carry out injection attacks on web pages. The web page obtains user input parameters, but some malicious users use special sql statements to upload parameters. If you do not judge the correctness and legality of the parameters obtained on the end, it may cause harm to the database

2. When uploading data with get and post, check the parameters

3. Using Dajngo's ORM can effectively avoid sql injection, because Django has escaped special characters

The above is the detailed content of How to avoid sql injection in django. For more information, please follow other related articles on the PHP Chinese website!