我试图为我正在从事的项目创建数据库处理程序, 现在我知道在PHP中必须为SQL注入分别解析参数。 python是否也是这种情况,还是我只传递了raw参数? 另外,如果有人知道同时受PHP / python支持的密码的一种不错的加密方法,请::)
ps:对不起,英语太糟糕了。
这是我目前拥有的:
import mysql.connector
import json
class DatabaseHandler:
db_config = None
def __init__(self):
def load_db_config(self):
with open("lib/db_config.json","r") as reader:
return json.load(reader)
self.db_config = load_db_config()
def initiate_connection(self):
return mysql.connector.connect(host=self.db_config["host"],user=self.db_config["user"],passwd=self.db_config["password"],database=self.db_config["database"])
def execute_query(self,db_cursor,query):
try:
return db_cursor.execute(query)
except mysql.connector.errors.IntegrityError as e:
print(e)
def commit_action(self,query):
db = self.initiate_connection()
db_cursor = db.cursor()
self.execute_query(db_cursor,query)
db.commit()
db.close()
def fetch_action(self,query)
data = db_cursor.fetchall()
db.close()
return data
def get(self,table,fieldset,where=list()):
if len(fieldset) == 0 or len(fieldset) == 1 and fieldset[0] == "":
print("You must select some value from the database.")
else:
index = 0
whereset = ""
for value in where:
whereset += value if index < 2 else "'"+value+"'"
index += 1
query = "SELECT {} FROM {}".format(",".join(fieldset),table) if not where else "SELECT {} FROM {} WHERE {}".format(
",whereset)
return self.fetch_action(query)
def insert(self,value_dict):
keys = ""
values = ""
for key in list(value_dict.keys()):
keys += key
values += "'" + value_dict[key] + "'"
if not key == list(value_dict.keys())[len(value_dict.keys()) - 1]:
keys += ","
values += ","
query = "INSERT INTO {} ({}) VALUES ({})".format(table,keys,values)
self.commit_action(query)
def delete(self,where):
index = 0
whereset = ""
for value in where:
whereset += value+" " if index < 2 else "'"+value+"'"
index += 1
query = "DELETE FROM {} WHERE {};".format(table,whereset)
return self.commit_action(query)
def update(self,values,where):
value_set = ""
for key in list(values.keys()):
value_set += "{} = '{}',".format(key,values[key]) if not key == list(values.keys())[
len(values.keys()) - 1] else "{} = '{}'".format(key,values[key])
index = 0
whereset = ""
for value in where:
whereset += value if index < 2 else "'"+value+"'"
index += 1
query = "UPDATE {} SET {} WHERE {};".format(table,value_set,whereset)
self.commit_action(query)
'''
def database_test():
# Testing actions
username = "boedaka"
insertion_values = {
"naam": username,"wachtwoord": "tester","salt": "156151","email": "testmail@gmail.com"
}
print("Inserting values in database: ")
DatabaseHandler().insert("users",insertion_values)
print(DatabaseHandler().get("users",["*"],["naam","=",username]))
print("Updating values in the database: ")
DatabaseHandler().update("users",{"wachtwoord": "tester222","salt": "1353"},username])
print(DatabaseHandler().get("users",username]))
print("Deleting values from the database: ")
DatabaseHandler().delete("users",username])
'''
我的假设是这样的:
def get_v2(self,fields,where=list()):
query = None
if len(where) == 3:
where_fields,where_value = (where[0:2],where[2])
query = "SELECT {} FROM {} WHERE {} '%s';".format(",".join(fields)," ".join(where_fields))
elif len(where) == 0:
query = "SELECT {} FROM {}".format(",table)
if not query:
print("Error parsing query.")
return []
else:
try:
return self.fetch_action(query % where_value)
except NameError:
return self.fetch_action(query)