上下文
我写了一个旨在在服务器上运行的python脚本。该脚本接受用户输入以进行搜索。即,用户输入任意字符串,数据库将返回所有具有相似字符串的用户名。
问题描述
我不确定输入的安全性。该程序使用存储过程和参数化过程,但是尽管如此,如果用户未输入任何内容(即空白字符串)或输入了类似%的内容,则脚本将返回数据库中的每个用户名。
代码
import json
import mysql.connector
class json_read():
def __init__(self,name):
self.name = name
def json_caller(self):
with open(self.name) as f:
f = json.load(f)[0]
return f
f = json_read("database_connect.json")
config = f.json_caller()
def mysql_connect(func):
def wrapper(*args, **kwargs):
try:
cnx = mysql.connector.connect(**config)
cursor = cnx.cursor()
cursor.execute(*args, **kwargs)
result = cursor.fetchall()
print("\nConnection is stable @ " + func.__name__)
print(result)
except:
print("\nConnection failed @ " + func.__name__)
return wrapper
class query_dbh():
f2 = json_read("queries.json")
def __init__(self, index):
self.index = self.f2.json_caller()[index]
@mysql_connect
def query(*args, **kwargs):
pass
search_query = query_dbh("Search_uid").index
search_param = [raw_input("Search: ") + "%"]
query(search_query,(search_param))
查询保存在JSON文件中,并由脚本加载
[
{
"Select_names" : "SELECT first,last FROM user",
"Select_id" : "SELECT id FROM user",
"Order_names" : "SELECT first, last FROM user ORDER BY first ASC",
"Search_uid" : "SELECT uid FROM user WHERE uid LIKE %s"
}
]
其中Search_uid是正在使用的查询。