How to create a function to remove unwanted characters, anti Injection

Asked

Viewed 80 times

0

Hello, I searched on the internet which characters to remove, but the searches did not answer me the question.. So I looked up know about anti-sqlinjection in python, but I couldn’t find any way to do that by directly removing the characters when forming the string... I only found solutions of static type, where you already form the command running, for me this type does not serve, because I have dynamic ways to get the results, depending on the result such.

I need the variable to form as follows for example:

senha=d[6:]
con=consultarSql()
if senha!="":
    sql="SELECT id FROM motorista WHERE senha="+"'"+antisql(senha)+"'"
    myresult=con.consultar(sql)

For now the only character I’m removing is a tab, because it was in the way

Would it be like this:

def antisql(string):
    string=string.replace(" ","")
    string=string.replace("'","")
    string=string.replace("\"","")
    string=string.replace("\\","")
    ....aqui da replace nas outras caracteres

What I need is a complete list of characters that could get me in trouble. -> Just to mention my software the python part is a websocket, and it gives a json result, so I removed this larger space character <- it is not the normal space no, it is a larger space character, that Buga the json..

python
  • 1

    There must be something ready and that will work much better than yours.

  • 1

    This is already implemented in drivers of databases, see http://bobby-tables.com/python for details.

  • 1

    I’ve seen these methods, but I’ve already said, I need to do it dynamically, depending on the information the result is one or the other.... I don’t want to implement direct security in sql execution, I want to protect the variable before creating the sql string

  • 1

    I have tried to do these ways but it did not work, I created a class to connect in mysql, and make queries and/ or run, it is easier to send the sql string ready, than send the tables and data to def.

  • 2

    If it’s dynamic and these methods don’t meet your needs, we’ll need you to quote all the possible cases of happening in the application, as well as list all requirements to be met. Without this, any response will be based on speculation, without bringing any benefit to the community. I already assume that replacing characters does not add any kind of security to the application. That said, I voted to close the question as unclear until all the details are presented.

  • So, one problem I’m having at the moment is regarding parentesis, I try to do something like this SELECT id FROM client WHERE phone='(xx)xxxxxxxxx' AND password='passwordperson' Not running in python, when I do the search in phpmyadmin works normal, but in python does not return any result, is that parentesis can not?

Show 1 more comment

1 answer

-1

remove = set(";:,.'")
def clean(sentence):
    for c in set(sentence)&remove:
        sentence = sentence.replace(c,"")
    return sentence

Sentence = "feijão 'com, arroz"


CleanSentence = clean(Sentence)

print(Sentence)
print(CleanSentence)

  • You can also use Conn.escape_string()

Browser other questions tagged python

You are not signed in. Login or sign up in order to post.