python番外篇--sql注入

一、sql注入概念介绍

所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。具体来说,它是利用现有应用程序,将(恶意的)SQL命令注入到后台数据库引擎执行的能力,它可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。

二、Python中防止sql注入的方法

import pymysql

def op_mysql(host,user,password,db,sql,port=3306,charset='utf8'):
	conn = pymysql.connect(host=host,user=user,
						   password=password,
						   port=port,
						   charset=charset,db=db)
	cur = conn.cursor(cursor=pymysql.cursors.DictCursor)
	cur.execute(sql)
	sql_start = sql[:6].upper() #取sql前6个字符串,判断它是什么类型的sql语句
	if sql_start=='SELECT' :
		res = cur.fetchall()
	else:
		conn.commit()
		res = 'ok'
	cur.close()
	conn.close()
	return res

# conn = pymysql.connect(host='211.149.218.16',user='jxz',
# 					   password='123456',
# 					   port=3306,
# 					   charset='utf8',db='jxz')
# cur = conn.cursor(cursor=pymysql.cursors.DictCursor)
# name='zdq'
# # sql = 'select * from bt_stu where username="%s"; '%name
# sex='nv'
# cur.execute('select * from bt_stu where real_name="%s;"' % name) #可以sql注入的
# cur.execute('select * from bt_stu where real_name=%s and sex = %s',(name,sex)) #可以防止sql注入
# print(cur.fetchall())


def test(a,b):
	# print(a,b)
	pass
li = [1,2]
d = {'a':'ybq','b':'mpp'}
test(*li)
test(**d)
conn = pymysql.connect(host='211.149.218.16',user='jxz',
					   password='123456',
					   port=3306,
					   charset='utf8',db='jxz')
cur = conn.cursor(cursor=pymysql.cursors.DictCursor)

def op_mysql_new(sql,*data): #data传入后会变成一个List
	#利用 *data这个可变参数,就能防止sql注入了
	print(sql)
	print(data)
	cur.execute(sql,data)
	# cur.execute('select',(name,id,name))
	# cur.execute('select * from user where name=%s',('haha'))
	print(cur.fetchall())
# sql = 'select * from user where username  = %s and sex=%s;'
# name='haha'
# sex='xxx'
# op_mysql_new(sql,name,sex)

conn = pymysql.connect(host='211.149.218.16',user='jxz',
					   password='123456',
					   port=3306,
					   charset='utf8',db='jxz')

cur = conn.cursor(cursor=pymysql.cursors.DictCursor)

sql = 'insert into seq (blue,red,date) values (%s,%s,%s)'
all_res = [
	['16','01,02,03,05,09,06','2018-01-28'],
	['15','01,02,03,05,09,06','2018-01-28'],
	['14','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
]
cur.executemany(sql,all_res) #批量执行
conn.commit()

  

转载于:https://www.cnblogs.com/SuKiWX/p/8962183.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值