如何从用户查询字符串设置 SELECT LIMIT
How to set SELECT LIMIT from user query string
是否可以将 URL 查询字符串值中的变量设置为 SQLite3 LIMIT 值?例如,当用户使用查询字符串打开端点 /cities ?per_page=10 时,网站 return 只有来自城市的 10 个元素。
当我在 LIMIT 浏览器后仅放置 limit_page 变量时 return sqlite3.OperationalError: no such column: limit_page
from flask import (
Flask,
g,
redirect,
render_template,
request,
url_for,
jsonify,
) import sqlite3, itertools
app = Flask(__name__)
DATABASE = 'database.db'
def get_db():
db = getattr(g, '_database', None)
if db is None:
db = g._database = sqlite3.connect(DATABASE)
db.row_factory = sqlite3.Row
return db
@app.teardown_appcontext
def close_connection(exception):
db = getattr(g, '_database', None)
if db is not None:
db.close()
@app.route('/cities')
def city_list():
limit_page = request.args.get('per_page')
db = get_db()
data = db.execute('''
SELECT city FROM city LIMIT *limit_page*
''').fetchall()
data_json = []
for i in data:
data_json.extend(list(i))
return jsonify(data_json)
if __name__ == '__main__':
app.run(debug=True)
使用参数化查询:
limit_page = request.args.get('per_page')
if limit_page is not None:
query = 'SELECT city FROM city LIMIT ?'
args = (limit_page,)
else:
query = 'SELECT city FROM city'
args = ()
db = get_db()
data = db.execute(query, args).fetchall()
这将从 GET args 中安全地将 per_page 的值插入到 SQL 查询中并执行它。使用参数化查询可以避免常见的 SQL 注入攻击,否则会出现这些攻击。
是否可以将 URL 查询字符串值中的变量设置为 SQLite3 LIMIT 值?例如,当用户使用查询字符串打开端点 /cities ?per_page=10 时,网站 return 只有来自城市的 10 个元素。
当我在 LIMIT 浏览器后仅放置 limit_page 变量时 return sqlite3.OperationalError: no such column: limit_page
from flask import (
Flask,
g,
redirect,
render_template,
request,
url_for,
jsonify,
) import sqlite3, itertools
app = Flask(__name__)
DATABASE = 'database.db'
def get_db():
db = getattr(g, '_database', None)
if db is None:
db = g._database = sqlite3.connect(DATABASE)
db.row_factory = sqlite3.Row
return db
@app.teardown_appcontext
def close_connection(exception):
db = getattr(g, '_database', None)
if db is not None:
db.close()
@app.route('/cities')
def city_list():
limit_page = request.args.get('per_page')
db = get_db()
data = db.execute('''
SELECT city FROM city LIMIT *limit_page*
''').fetchall()
data_json = []
for i in data:
data_json.extend(list(i))
return jsonify(data_json)
if __name__ == '__main__':
app.run(debug=True)
使用参数化查询:
limit_page = request.args.get('per_page')
if limit_page is not None:
query = 'SELECT city FROM city LIMIT ?'
args = (limit_page,)
else:
query = 'SELECT city FROM city'
args = ()
db = get_db()
data = db.execute(query, args).fetchall()
这将从 GET args 中安全地将 per_page 的值插入到 SQL 查询中并执行它。使用参数化查询可以避免常见的 SQL 注入攻击,否则会出现这些攻击。