python 解決 sql injection 問題
發表於 : 2021年 8月 11日, 17:05
SQL 語法
SQL = f"""select user_id, user_name, admin, times
from mlp.user_authority
where login = %s
and password = %s
and '{today}' between active_date and inactive_date
"""
rows = db.execute_raw_sql(SQL, email1, password1)
這樣執行
def execute_raw_sql(sql, *arg):
try:
cnx = db.connect(**db_config)
try:
cur = cnx.cursor()
cur.execute(sql, arg)
rows = cur.fetchall()
if len(rows) == 0:
rows = None
cur.close()
except db.Error as error:
rows = None
log('excute_raw_sql error:', error, 'sql:', sql)
cnx.close()
except db.Error as error:
log(error)
rows = None
return rows