To pass variable parts to the SQL statement, use a question mark in the statement and pass in the arguments as a list. Never directly add them to the SQL statement with string formatting because this makes it possible to attack the application using SQL Injections.
Brutal
2012-09-21 20:32:30 +08:00
我现在在犹豫要不要用ORM。。。
loading
2012-09-21 21:02:14 +08:00
@fanzheng 下面这样就不会被注入了么? user = query_db('select * from users where username = ?', [the_username], one=True)
请问怎么写的才是能被注入的,上面的我看起来像可以被注入的。。。 例如the_username=";delete * from users"