我正在為我的 web 應(yīng)用程序編寫一個(gè)輔助函數(shù),該函數(shù)根據(jù)從外部 API(不是用戶輸入的)獲取的一些信息來更新數(shù)據(jù)庫。我有以下代碼,但它被 Bandit python 包標(biāo)記為“不安全”。
理想情況下,我可以以硬編碼要更新的列的方式編寫一個(gè)函數(shù)����,但我認(rèn)為它也應(yīng)該可以動(dòng)態(tài)實(shí)現(xiàn)�。
這是更新表的安全方法(不可能進(jìn)行 SQL 注入)嗎?
import mysql.connector as database
def update_message_by_uid(uid: str, update_dict: dict) -> None:
# Fetches the previous entry from the database using the unique identifier
message_info_dict = get_message_by_uid(uid)
# check that all the keys of the update dict are also in the original dict
assert set(update_dict.keys()) <= set(
message_info_dict.keys()
), "Some of the keys in the dictionary passed are not valid database columns"
# We update the entry for all entries in the dictionary containing the updates
statement = 'UPDATE messages SET {} WHERE uid = %s'.format(", ".join('{}=%s'.format(k) for k in update_dict))
# Concatenates the values of the dict with the unique identifier to pass it to the execution method as one variable
data = list(update_dict.values()) + [uid]
cursor.execute(statement, data)
