Python 改进SQL插入查询以避免SQL注入
我正在使用pymyql/mysql连接器将消息写入mysql数据库。消息在mqtt broker的回调(paho.mqtt callback)上处理。我有4个不同的表,根据消息类型,我将消息插入数据库。我已将插入查询编写如下。这种编写方式似乎导致了sql注入。有什么建议可以改进insert查询语句吗Python 改进SQL插入查询以避免SQL注入,python,mysql,sql,sql-injection,sql-insert,Python,Mysql,Sql,Sql Injection,Sql Insert,我正在使用pymyql/mysql连接器将消息写入mysql数据库。消息在mqtt broker的回调(paho.mqtt callback)上处理。我有4个不同的表,根据消息类型,我将消息插入数据库。我已将插入查询编写如下。这种编写方式似乎导致了sql注入。有什么建议可以改进insert查询语句吗 # callback attached to paho.mqtt.client def on_message(self, client, userdata, msg): if m
# callback attached to paho.mqtt.client
def on_message(self, client, userdata, msg):
if msg.topic.startswith("topic1/"):
self.bulkpayload += "(" + msg.payload.decode("utf-8") + "," + datetime + "),"
elif msg.topic.startswith("topic2/"):
self.insertStatement += "INSERT INTO mydatabase.table1 VALUES (" + msg.payload.decode("utf-8") + "," + datetime + ");"
elif msg.topic.startswith("topic3/")
self.insertStatement += "INSERT INTO mydatabase.table2 VALUES (" +msg.payload.decode("utf-8") + "," + datetime + ");"
elif msg.topic.startswith("messages"):
self.insertStatement += "INSERT INTO mydatabase.table3 VALUES ('" + msg.topic + "'," + msg.payload.decode("utf-8") + "," + datetime + ");"
else:
return # do not store in DB
cursor.execute(self.insertStatement)
cursor.commit()
使您的查询使用参数。注射的机会要小得多:
cursor.execute(“插入表值(%s,%s,%s)”,(var1,var2,var3))此外,Dan Bracuk是正确的-如果在发送查询和使用查询参数之前尚未验证用户输入,请确保在执行SQL之前验证参数。我不太熟悉Python语法,但您能将insert语句参数化吗?这将有助于我像这样使用cursor.execute(“插入表值(%s,%s,%s)”,(msg.payload.decode(“utf-8”),var3))我想是的……我不是Python语法专家……无论如何,试试吧!到时候你就能为自己找到最好的解决方案。注意:该示例有三个
%smsg.payload.decode(“utf-8”)