python避免SQL注入的方法:
python中的pymysql在執(zhí)行sql前,會(huì)對(duì)sql中的特殊字符進(jìn)行轉(zhuǎn)義,如:
def escape_string(value, mapping=None):
"""escape_string escapes *value* but not surround it with quotes.
Value should be bytes or unicode.
"""
if isinstance(value, unicode):
return _escape_unicode(value)
assert isinstance(value, (bytes, bytearray))
value = value.replace('\\', '\\\\')
value = value.replace('\0', '\\0')
value = value.replace('\n', '\\n')
value = value.replace('\r', '\\r')
value = value.replace('\032', '\\Z')
value = value.replace("'", "\\'")
value = value.replace('"', '\\"')
return value
執(zhí)行sql的正確方法,不要在sql中拼接參數(shù),字符轉(zhuǎn)義只會(huì)針對(duì)參數(shù)args,例如:
# query作為sql模板,args為將要傳入的參數(shù)
execute(query, args=None)