|
|||||||
Время создания: 12.05.2017 17:05
Раздел: Python - Модули - peewee
Запись: xintrea/mytetra_db_mcold/master/base/1494597936xbxdbq5n4l/text.html на raw.githubusercontent.com
|
|||||||
|
|
|||||||
|
Security and SQL Injection By default peewee will parameterize queries, so any parameters passed in by the user will be escaped. The only exception to this rule is if you are writing a raw SQL query or are passing in a SQL object which may contain untrusted data. To mitigate this, ensure that any user-defined data is passed in as a query parameter and not part of the actual SQL query: # Bad!
query = MyModel.raw('SELECT * FROM my_table WHERE data = %s' % (user_data,)) # Good. `user_data` will be treated as a parameter to the query.
query = MyModel.raw('SELECT * FROM my_table WHERE data = %s', user_data) # Bad!
query = MyModel.select().where(SQL('Some SQL expression %s' % user_data)) # Good. `user_data` will be treated as a parameter.
query = MyModel.select().where(SQL('Some SQL expression %s', user_data)) |
|||||||
|
Так же в этом разделе:
|
|||||||
|
|||||||
|
|||||||
|
