发表新帖
发表新帖

SQLAlchemy + SQL Injection

前端 未结
关注
3 1380
情深已故
情深已故 2020-12-04 21:52

What are the best practices for mitigating SQL injection attacks when using SQLAlchemy?

3条回答
  • 遥遥无期
    遥遥无期 (楼主)
    2020-12-04 22:04

    tldr: Avoid raw SQL as much as possible.

    The accepted answer is lazy and incorrect. The filter method accepts raw SQL, and if used in that way, is fully susceptible to SQL injection attacks. For instance, if you were to accept a value from a url and combine it with raw sql in the filter, you are open to attack:

    session.query(MyClass).filter("foo={}".format(getArgs['val']))

    using the above code and the below url, you would be injecting SQL in to your filter statement. The code above would return all rows in your database.

    URL encoded:

    https://example.com/?val=2%20or%201%20=%201

    Easier to understand (URL decoded):

    https://example.com/?val=2 or 1 = 1

    0 讨论(0)
 看不清?
提交回复
热议问题