Escaping dynamic sqlite query?

前端 未结 1 1253
伪装坚强ぢ
伪装坚强ぢ 2021-01-29 02:54

I\'m currently building SQL queries depending on input from the user. An example how this is done can be seen here:

def generate_conditions(table_name,nameValues         


        
1条回答
  •  野趣味
    野趣味 (楼主)
    2021-01-29 03:35

    You have two options:

    1. Switch to using SQLAlchemy; it'll make generating dynamic SQL a lot more pythonic and ensures proper quoting.

    2. Since you cannot use parameters for table and column names, you'll still have to use string formatting to include these in the query. Your values on the other hand, should always be using SQL parameters, if only so the database can prepare the statement.

      It's not advisable to just interpolate table and column names taken straight from user input, it's far too easy to inject arbitrary SQL statements that way. Verify the table and column names against a list of such names you accept instead.

      So, to build on your example, I'd go in this direction:

      tables = {
          'e': ('unit1', 'unit2', ...),   # tablename: tuple of column names
      }
      
      def generate_conditions(table_name, nameValues):
          if table_name not in tables:
              raise ValueError('No such table %r' % table_name)
          sql = u""
          params = []
          for field in nameValues:
              if field not in tables[table_name]:
                  raise ValueError('No such column %r' % field)
              sql += u" AND {0}.{1}=?".format(table_name, field)
              params.append(nameValues[field])
          return sql, params
      
      search_query = u"SELECT * FROM Enheter e LEFT OUTER JOIN Handelser h ON e.Id == h.Enhet WHERE 1=1"
      
      search_params = []
      if "Enhet" in args:
          sql, params = generate_conditions("e",args["Enhet"])
          search_query += sql
          search_params.extend(params)
      c.execute(search_query, search_params)
      

    0 讨论(0)
提交回复
热议问题