我正在為我的 web 應用程式編寫一個輔助函數,該函數根據從外部 API(不是用戶輸入的)獲取的一些資訊來更新資料庫。我有以下程式碼,但它被 Bandit python 套件標記為“不安全”。
理想情況下,我可以以硬編碼要更新的列的方式編寫一個函數,但我認為它也應該可以動態實現。
這是更新表的安全方法(不可能進行 SQL 注入)嗎?
1
388import mysql.connector as database
def update_message_by_uid(uid: str, update_dict: dict) -> None:
# Fetches the previous entry from the database using the unique identifier
message_info_dict = get_message_by_uid(uid)
# check that all the keys of the update dict are also in the original dict
assert set(update_dict.keys()) <= set(
message_info_dict.keys()
), "Some of the keys in the dictionary passed are not valid database columns"
# We update the entry for all entries in the dictionary containing the updates
statement = 'UPDATE messages SET {} WHERE uid = %s'.format(", ".join('{}=%s'.format(k) for k in update_dict))
# Concatenates the values of the dict with the unique identifier to pass it to the execution method as one variable
data = list(update_dict.values()) + [uid]
cursor.execute(statement, data) 
您應該將列名放在反引號中,以防列名是 SQL 保留關鍵字 或包含空格、標點符號或國際字元。還要確保列名稱中的反引號字元替換為兩個反引號。
assignments = ", ".join(f"`{k.replace('`', '``')}`=%s" for k in update_dict) statement = f"UPDATE messages SET {assignments} WHERE uid = %s"我更喜歡使用 f 字串而不是 format()。