发表新帖
发表新帖

Improve SQL INSERT query to avoid sql injections

后端 未结
关注
1 1676
傲寒
傲寒 2021-01-27 07:27

I am using pymyql/mysql-connector to write the messages to mysql database. The messages are processed on callback (paho.mqtt callback) from mqtt broker.I have 4 different tables

1条回答
  • 粉色の甜心
    粉色の甜心 (楼主)
    2021-01-27 08:06

    Make your query use parameters. Much less chance of injection:

    cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))

    credit (and more info) here: How to use variables in SQL statement in Python?

    Also, Dan Bracuk is correct - make sure you validate your params before executing the SQL if you aren't already

    0 讨论(0)
 看不清?
提交回复
热议问题