I have read that ORM's should minimise the possibilities of SQL injection attacks. However in Django, sometimes the ORM is somewhat limited, and I need to use raw SQL. What steps should I take to avoid SQL injection attacks?
我读到过ORM应该将SQL注入攻击的可能性最小化。但是在Django中,ORM有时是有限的,我需要使用原始SQL。我应该采取哪些步骤来避免SQL注入攻击?
Currently I would know to check for semicolons in the query string, but not much else. If I use parametrised queries, will this solve the problem? Are there any libraries to pass the string to, that will check it for me?
目前,我知道要检查查询字符串中的分号,但除此之外就没什么了。如果我使用参数化查询,这会解决问题吗?有什么库可以传递字符串给我,让我检查一下吗?
2 个解决方案
#1
4
The documentation states the following:
文件说明如下:
If you need to perform parameterized queries, you can use the params argument to
raw():如果需要执行参数化查询,可以将params参数用于raw():
>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])
paramsis a list or dictionary of parameters. You’ll use%splaceholders in the query string for a list, or%(key)splaceholders for a dictionary (where key is replaced by a dictionary key, of course), regardless of your database engine. Such placeholders will be replaced with parameters from the params argument.params是参数的列表或字典。您将在查询字符串中为列表使用%s占位符,或为字典使用%(key)s占位符(当然,这里的键被字典键替换),而不考虑数据库引擎。这样的占位符将由params参数中的参数替换。
This is also the standard way to pass parameters using Python's DB-API, which will sanitize your queries correctly.
这也是使用Python的DB-API传递参数的标准方式,它将正确地清理查询。
Whatever you do, don't do string interpolation.
无论你做什么,都不要做字符串插值。
#2
1
You have to bind your parameters! A complete guide with examples and solutions you can find here:
您必须绑定参数!一个完整的指南与例子和解决方案,你可以在这里找到:
http://www.djangobook.com/en/2.0/chapter20.html
http://www.djangobook.com/en/2.0/chapter20.html
#1
4
The documentation states the following:
文件说明如下:
If you need to perform parameterized queries, you can use the params argument to
raw():如果需要执行参数化查询,可以将params参数用于raw():
>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])
paramsis a list or dictionary of parameters. You’ll use%splaceholders in the query string for a list, or%(key)splaceholders for a dictionary (where key is replaced by a dictionary key, of course), regardless of your database engine. Such placeholders will be replaced with parameters from the params argument.params是参数的列表或字典。您将在查询字符串中为列表使用%s占位符,或为字典使用%(key)s占位符(当然,这里的键被字典键替换),而不考虑数据库引擎。这样的占位符将由params参数中的参数替换。
This is also the standard way to pass parameters using Python's DB-API, which will sanitize your queries correctly.
这也是使用Python的DB-API传递参数的标准方式,它将正确地清理查询。
Whatever you do, don't do string interpolation.
无论你做什么,都不要做字符串插值。
#2
1
You have to bind your parameters! A complete guide with examples and solutions you can find here:
您必须绑定参数!一个完整的指南与例子和解决方案,你可以在这里找到:
http://www.djangobook.com/en/2.0/chapter20.html
http://www.djangobook.com/en/2.0/chapter20.html