我就废话不多说了,还是直接看代码吧!
#coding:utf8
#在开发过程中,要对前端传过来的数据进行验证,防止sql注入攻击,其中的一个方案就是过滤用户传过来的非法的字符
def sql_filter(sql, max_length=20):
dirty_stuff = ["\"", "\\", "/", "*", "'", "=", "-", "#", ";", "", "+", "%", "$", "(", ")", "%", "@","!"]
for stuff in dirty_stuff:
sql = sql.replace(stuff, "")
return sql[:max_length]
username = "1234567890!@#!@#!@#$%======$%"
username = sql_filter(username) # SQL注入
print username
# 输出结果是:1234567890
补充知识:python解决sql注入以及特殊字符
python往数据库插入数据,
基础做法是:
cur=db.cursor()
sql = "INSERT INTO test2(cid