如何使用此python脚本避免硬编码sql表达式?
简言之,我从树莓pi上的NRF24传感器获取一些数据,然后将它们写入数据库。根据Codacy,我需要避免硬编码sql表达式,但我不知道我的脚本有什么问题。你能帮我吗如何使用此python脚本避免硬编码sql表达式?,python,postgresql,raspberry-pi,sql-injection,psycopg2,Python,Postgresql,Raspberry Pi,Sql Injection,Psycopg2,简言之,我从树莓pi上的NRF24传感器获取一些数据,然后将它们写入数据库。根据Codacy,我需要避免硬编码sql表达式,但我不知道我的脚本有什么问题。你能帮我吗 import time from datetime import datetime import sys from struct import unpack from RF24 import RF24 import psycopg2 irq_gpio_pin = None con = None radio = RF24(22,
import time
from datetime import datetime
import sys
from struct import unpack
from RF24 import RF24
import psycopg2
irq_gpio_pin = None
con = None
radio = RF24(22, 0)
def get_data_from_node():
if radio.available():
while radio.available():
length = 10
receive_payload = radio.read(length)
values = unpack('hhhhh',receive_payload)
print "Node Number: "+str(values[0])+"\nLight: "+str(values[1])+" Humidity: "+str(values[2])+" Temperature: "+str(values[3])+" MQ6: "+str(values[4])
#TIMESTAMPT = "(%s)",(datetime.now(),)
LOG="INSERT INTO LOGS (HUMIDITY,TEMPERATURE,PRESSURE,AIR_QUALITY,READING_TIME,LOG_TIME,BASE_STATION_ID) VALUES("+str(values[1])+","+str(values[2])+","+str(values[3])+","+str(values[4])+",('%s'),('%s'),1);" % (datetime.now(),datetime.now(),)
write_to_db(LOG)
def write_to_db(LOG):
try:
con = psycopg2.connect(database='dname', user='uname', password='pass')
con.cursor().execute(LOG)
con.commit()
except psycopg2.DatabaseError, e:
print 'Error %s' % e
sys.exit(1)
pipes = ["0Node", "1Node"]
radio.begin()
radio.setRetries(15,15)
radio.printDetails()
radio.openWritingPipe(pipes[1])
radio.openReadingPipe(1,pipes[0])
radio.startListening()
while 1:
get_data_from_node()
time.sleep(0.1)
基于psycopg文档(),cursor.execute()可以接受2个参数,SQL语句和一系列将插入的值。通过这种方式构造insert语句,psycopg可以将python值正确转换为DB格式,并提供针对SQL注入攻击的保护:
...
log="INSERT INTO LOGS (HUMIDITY,TEMPERATURE,PRESSURE,AIR_QUALITY,READING_TIME,LOG_TIME,BASE_STATION_ID) VALUES (%s, %s, %s, %s, %s, %s, %s);"
vals = values[:4] + [datetime.now(),datetime.now(), 1]
write_to_db(log, vals)
...
def write_to_db(LOG, vals):
try:
con = psycopg2.connect(database='dname', user='uname', password='pass')
con.cursor().execute(LOG, vals)
con.commit()
...