flask mysql sql注入_防止sql注入

@server.route('/login',methods=['post'])

def login():

username=flask.request.values.get('u')

password=flask.request.values.get('p')

sql="select * from USER where username='%s' and password='%s';"%(username,password)

print(sql)

#username=" ' or '1'='1"

#username=" ';show tables;--"

#username=

#select * from user where username='' or '1'='1' and password=''

#利用一个条件为真

res=op_mysql(sql)

if res:

#response=json.dumps()

response={'msg':'登陆成功'}

else:

response={'msg':'登录失败'}

return json.dumps(response,ensure_ascii=False)

#避免sql注入;注入的原理是引号

cursor.execute("select * from user where username=%s and password=%s",(username,password))

重写数据库方法：

from conf import setting

import pymysql

def test(a,b):

print(a,b)

li=[1,2]

d={'a':12,'b':13}

test(*li)

test(**d)

conn = pymysql.connect(host=setting.MYSQL_HOST, user=setting.USER, passwd=setting.PASSWORD, port=setting.PORT,

charset='utf8', db=setting.DB)

cur = conn.cursor(cursor=pymysql.cursors.DictCursor)

def op_mql_new(sql,*data):

print(sql)

print(name)

cur.execute(sql,*data)

print(cur.fetchall())

sql='select * from user where username=%s and password=%s'

name=['luonan1','123456']

op_mql_new(sql,name)