问题描述
考虑sqlite3 fts4表
consider sqlite3 fts4 table
c.execute("CREATE VIRTUAL TABLE docs USING fts4(content)")
以下从txt包含字符串的sql注入是否安全?
Is the following safe from sql injection where txt contains a string?
我不确定参数化查询是否安全,因为只有一个参数txt是字符串.
I am not sure if parameterised query is safe or not,since there is only one parameter txt which is a string.
c.execute("SELECT * FROM docs WHERE docs MATCH (?)",(txt,))
推荐答案
是的,它可以安全地进行SQL注入;这就是SQL参数 的含义,以转义并正确引用 txt
.
Yes, it is safe from SQL injection; that is what the SQL parameter is for, to escape and quote txt
properly.
如果要使用字符串格式("... MATCH('%s')"%txt
或"... MATCH('{}')".format(txt)
,然后然后打开一个SQL注入向量,因为您不会在 txt
中转义元字符.
If you were to use string formatting ("... MATCH ('%s')" % txt
or " ... MATCH ('{}')".format(txt)
, then you'd be opening a SQL injection vector, as you wouldn't be escaping meta characters in txt
.
这篇关于sqlite全文搜索中的sql注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!