Django如果使用原始SQL,应该采取哪些步骤来避免SQL注入攻击?

时间:2022-10-05 08:44:17

I have read that ORM's should minimise the possibilities of SQL injection attacks. However in Django, sometimes the ORM is somewhat limited, and I need to use raw SQL. What steps should I take to avoid SQL injection attacks?

我读到过ORM应该将SQL注入攻击的可能性最小化。但是在Django中,ORM有时是有限的,我需要使用原始SQL。我应该采取哪些步骤来避免SQL注入攻击?

Currently I would know to check for semicolons in the query string, but not much else. If I use parametrised queries, will this solve the problem? Are there any libraries to pass the string to, that will check it for me?

目前,我知道要检查查询字符串中的分号,但除此之外就没什么了。如果我使用参数化查询,这会解决问题吗?有什么库可以传递字符串给我,让我检查一下吗?

2 个解决方案

#1


4  

The documentation states the following:

文件说明如下:

If you need to perform parameterized queries, you can use the params argument to raw():

如果需要执行参数化查询,可以将params参数用于raw():

>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])

params is a list or dictionary of parameters. You’ll use %s placeholders in the query string for a list, or %(key)s placeholders for a dictionary (where key is replaced by a dictionary key, of course), regardless of your database engine. Such placeholders will be replaced with parameters from the params argument.

params是参数的列表或字典。您将在查询字符串中为列表使用%s占位符,或为字典使用%(key)s占位符(当然,这里的键被字典键替换),而不考虑数据库引擎。这样的占位符将由params参数中的参数替换。

This is also the standard way to pass parameters using Python's DB-API, which will sanitize your queries correctly.

这也是使用Python的DB-API传递参数的标准方式,它将正确地清理查询。

Whatever you do, don't do string interpolation.

无论你做什么,都不要做字符串插值。

#2


1  

You have to bind your parameters! A complete guide with examples and solutions you can find here:

您必须绑定参数!一个完整的指南与例子和解决方案,你可以在这里找到:

http://www.djangobook.com/en/2.0/chapter20.html

http://www.djangobook.com/en/2.0/chapter20.html

#1


4  

The documentation states the following:

文件说明如下:

If you need to perform parameterized queries, you can use the params argument to raw():

如果需要执行参数化查询,可以将params参数用于raw():

>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])

params is a list or dictionary of parameters. You’ll use %s placeholders in the query string for a list, or %(key)s placeholders for a dictionary (where key is replaced by a dictionary key, of course), regardless of your database engine. Such placeholders will be replaced with parameters from the params argument.

params是参数的列表或字典。您将在查询字符串中为列表使用%s占位符,或为字典使用%(key)s占位符(当然,这里的键被字典键替换),而不考虑数据库引擎。这样的占位符将由params参数中的参数替换。

This is also the standard way to pass parameters using Python's DB-API, which will sanitize your queries correctly.

这也是使用Python的DB-API传递参数的标准方式,它将正确地清理查询。

Whatever you do, don't do string interpolation.

无论你做什么,都不要做字符串插值。

#2


1  

You have to bind your parameters! A complete guide with examples and solutions you can find here:

您必须绑定参数!一个完整的指南与例子和解决方案,你可以在这里找到:

http://www.djangobook.com/en/2.0/chapter20.html

http://www.djangobook.com/en/2.0/chapter20.html