zoukankan      html  css  js  c++  java
  • Python 字符串拼接 sql ,造成 sql 注入例子

    简单的 userinfo 表

    **字符串拼接 sql **

    import pymysql
    
    # 测试环境的数据库连接
    conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
    cursor = conn.cursor()
    
    # 字符串拼接sql,用户名和密码都是乱写
    sql = 'select username, password from userinfo where username="%s" and password="%s"'
    sql = sql %('yy" or 1=1 -- ', '11111')
    cursor.execute(sql)
    r = cursor.fetchone()
    print(r)
    
    cursor.close()
    conn.close()
    
    # 运行结果,正确取到数值
    ('klvchen', '123456')
    
    

    正常的写法

    # __author__:"klvchen"
    # date: 2018/12/12
    import pymysql
    
    conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
    cursor = conn.cursor()
    
    cursor.execute('select username, password from userinfo where username=%s and password=%s', ('yy" or 1=1 -- ', '11111'))
    r = cursor.fetchone()
    print(r)
    
    cursor.close()
    conn.close()
    
    # 运行结果,没有取到数值
    None
    
  • 相关阅读:
    【转载】CSS的inline、block与inline-block
    MySQL常用语法
    JS模态对话框
    CS3常用属性手记
    画布常用手记
    CSS属性常用手记
    H5试题
    window对象常用手记
    js对象常用手记
    常用DOM对象手记
  • 原文地址:https://www.cnblogs.com/klvchen/p/10108466.html
Copyright © 2011-2022 走看看