Python sql注入 过滤字符串的非法字符

#coding:utf8
#在开发过程中,要对前端传过来的数据进行验证,防止sql注入攻击,其中的一个方案就是过滤用户传过来的非法的字符


def sql_filter(sql, max_length=20):
    dirty_stuff = ["\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">", "+", "%", "$", "(", ")", "%", "@","!"]
    for stuff in dirty_stuff:
        sql = sql.replace(stuff, "")
    return sql[:max_length]


username = "1234567890!@#!@#!@#$%======$%"

username = sql_filter(username)  # SQL注入
print username

# 输出结果是:1234567890

 

转载于:https://www.cnblogs.com/xuchunlin/p/7240385.html

你可能感兴趣的:(Python sql注入 过滤字符串的非法字符)