英文:
Bandit vulnerability on 'Drop View <View_Name>'
问题
"我不确定为什么bandit会将以下内容通知为'检测到可能的格式化SQL查询。请使用参数化查询。':
conn.execute(f"DROP VIEW {view_name};")
是否有方法将view_name参数化?还是拼接是唯一的解决方法来消除bandit标志?"
英文:
I am not sure why bandit is notifying the below as 'Detected possible formatted SQL query. Use parameterized queries instead.':
conn.execute(f"DROP VIEW {view_name};")
Is there a way to parameterize the view_name? or concatenation is the only way forward to remove bandit flags here?
答案1
得分: 2
在SQL中,你无法对标识符进行参数化,只能对值进行参数化。视图名称是一个标识符。带引号的字符串常量或数字常量是值。
更常见的做法是在格式化的SQL语句中使用应用程序变量作为值,所以你的Bandit检测工具建议使用参数并不令人意外。但在这种情况下,你无法这样做。
在创建具有动态标识符的SQL语句时,你最好的做法是确保你的 view_name 变量不受SQL注入威胁。也就是说,它不包含任何不受信任的内容。要么在代码中明确设置它,不允许使用外部内容,要么使用一些模式匹配代码来确保它是一个有效的视图名称,而不是其他任何东西。
英文:
In SQL, you can't parameterize identifiers, only values. A view name is an identifier. A quoted string constant or numeric constant is a value.
It's more common to use application variables as values in a formatted SQL statement, so it's not surprising that your Bandit detection tool suggests to use parameters. But you can't do that in this case.
When making SQL statements with dynamic identifiers, the best you can do is to make sure your view_name variable is safe from SQL injection threats. That is, it contains no untrusted content. Either set it explicitly in your code, allowing no external content to be used, or else use some pattern-matching code to ensure it is a valid view name and nothing else.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论