Python SQL 注入攻击及其防护措施:编写安全的数据库查询-CSDN博客
(4 封私信 / 80 条消息) 为什么参数化SQL查询可以防止SQL注入? - 知乎
关键字:参数化查询
代码片段
def execute(self, query, vars=None): # real signature unknown; restored from __doc__
""" execute(query, vars=None) -- Execute query with bound vars. """
pass
# 1
select_sql = f"select * from tb_admin where role = '{role_id}';"
cursor.execute(select_sql)
# 2
select_sql = f"select * from tb_admin where role = %s;"
cursor.execute(select_sql, (role_id, ))
代码1 存在sql注入风险
代码2 不存在风险
===========
分析(根据上述文章链接做的小结,会有信息丢失,仅供参考):
输入参数 1' or '1'='1
代码2使用了参数化查询,会预编译,把输入参数包裹成一个字符串;代码1不会
用sql解释
代码1:select * from tb_admin where role = '1' or '1'='1'; 所以会有风险
代码2:select * from tb_admin where role = "1' or '1'='1'';
标签:Python,代码,sql,role,SQL,参数,select,注入 From: https://www.cnblogs.com/daizichuan/p/18514038