How can I prevent SQL injection in PYTHON-DJANGO

De openkb
Aller à : Navigation, rechercher

Sommaire

Questions

If a lamer input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example: 

dinossauro = request.GET[ username ]

sql = "SELECT * FROM user_contacts WHERE username =  %s ;" % username

To drop the tables or anything -- making the query: 

INSERT INTO table (column) VALUES( `**`value ); DROP TABLE table;--`**` )

What may one do to prevent this?

Answers

https://docs.djangoproject.com/en/dev/topics/db/ https://docs.djangoproject.com/en/dev/topics/db/

http://www.python.org/dev/peps/pep-0249/ http://www.python.org/dev/peps/pep-0249/ 

from django.db import connection

cursor = connection.cursor()
cursor.execute( insert into table (column) values (%s) , (dinosaur,))
cursor.close()

https://pypi.python.org/pypi/handy https://pypi.python.org/pypi/handy 

from handy.db import do_sql

do_sql( insert into table (column) values (%s) , (dinosaur,))

Source

License : cc by-sa 3.0

http://stackoverflow.com/questions/20468143/how-can-i-prevent-sql-injection-in-python-django

Related

Récupérée de « http://openkb.fr/index.php?title=How_can_I_prevent_SQL_injection_in_PYTHON-DJANGO&oldid=11330 »
Outils personnels
Espaces de noms

Variantes
Actions
Navigation
Outils