銆怭ython杩涢樁銆慞ython涓殑Web瀹夊叏锛氶槻鑼冨父瑙佺殑缃戠粶鏀诲嚮


绗1绔狅細Web瀹夊叏姒傝涓嶱ython鐜
1.1 Web瀹夊叏鐨勯噸瑕佹
鍦ㄦ暟瀛楀寲鏃朵唬锛學eb瀹夊叏宸叉垚涓轰紒涓氬拰涓汉鏃犳硶蹇借鐨勬牳蹇冭棰樸傛兂璞′竴涓嬶紝濡傛灉浣犵殑鍦ㄧ嚎閾惰璐︽埛濡傚悓涓搴ф棤浜虹湅瀹堢殑澶ч棬锛岄粦瀹㈠彧闇杞昏交涓鍑诲氨鑳界獌鍙栧叾涓殑璧勯噾锛涙垨鑰呬綘杈涜嫤寤虹珛鐨勭綉绔欏洜涓轰竴澶勫皬灏忕殑婕忔礊锛屼竴澶滀箣闂存垚涓轰紶鎾伓鎰忚蒋浠剁殑娓╁簥銆俉eb瀹夊叏涓嶄粎鍏充箮鏁版嵁淇濇姢鍜岄殣绉佹潈锛屾洿鏄晢涓氫俊瑾夊拰娉曞緥鍚堣鐨勯噸瑕佺粍鎴愰儴鍒嗐

1.1.1 褰撳墠缃戠粶瀹夊叏褰㈠娍鍒嗘瀽
鐜板疄涓栫晫涓紝缃戠粶鏀诲嚮浜嬩欢棰戝彂锛屼粠澶ц妯$殑鏁版嵁娉勯湶鍒伴拡瀵规х殑APT鏀诲嚮锛屽▉鑳佹棤澶勪笉鍦ㄣ傛嵁缁熻锛屼粎鍦ㄨ繃鍘讳竴骞村唴锛屽叏鐞冨氨鍙戠敓浜嗘暟涓囪捣閽堝Web搴旂敤鐨勬敾鍑讳簨浠躲傝繖浜涙敾鍑绘墜娈典笉鏂紨鍙樺崌绾э紝濡係QL娉ㄥ叆銆乆SS璺ㄧ珯鑴氭湰鏀诲嚮銆丆SRF璺ㄧ珯璇锋眰浼犵瓑锛屼娇寰梂eb瀹夊叏闃叉姢宸ヤ綔闈复涓ュ郴鎸戞垬銆

1.1.2 Python鍦╓eb瀹夊叏闃叉姢涓殑瑙掕壊
Python浣滀负涓绉嶅箍娉涘簲鐢ㄤ簬Web寮鍙戠殑楂樼骇缂栫▼璇█锛屽洜鍏剁畝娲佹槑浜嗙殑璇硶鍜屼赴瀵岀殑绗笁鏂瑰簱鑰屾繁鍙楀紑鍙戣呭枩鐖便侾ython鍦╓eb瀹夊叏闃叉姢鏂归潰鎵紨鐫閲嶈瑙掕壊锛屼緥濡傞氳繃鍏跺己澶х殑Web妗嗘灦锛堝Django鍜孎lask锛夋彁渚涘唴缃殑瀹夊叏鍔熻兘锛屼互鍙婇氳繃浼楀瀹夊叏妯″潡濡侽WASP Python Security Project锛圤WASP PSF锛夋彁渚涚殑宸ュ叿鍜屾寚瀵硷紝甯姪寮鍙戣呴伩鍏嶅父瑙佺殑瀹夊叏闄烽槺锛屾瀯寤烘洿瀹夊叏鐨勫簲鐢ㄧ▼搴忋

瀹炰緥璇存槑锛 涓句緥鏉ヨ锛岃鎯充竴瀹剁數鍟嗙綉绔欙紝瀹冧娇鐢≒ython鐨凞jango妗嗘灦鏋勫缓銆侱jango鑷甫涓濂楀畬鍠勭殑鏉冮檺鍜岃璇佺郴缁燂紝閫氳繃django.contrib.auth妯″潡瀹炵幇浜嗗瘑鐮佸搱甯屽瓨鍌ㄣ佺敤鎴风櫥褰曢獙璇佺瓑鍔熻兘锛屼粠鑰岀‘淇濈敤鎴疯处鍙风殑瀹夊叏鎬с傛澶栵紝Django杩樻彁渚涗簡CSRF鍜孹SS闃叉姢涓棿浠讹紝鑳藉鑷姩澶勭悊甯歌鐨刉eb瀹夊叏闂锛屾瀬澶у湴闄嶄綆浜嗗洜寮鍙戣呯枏蹇藉鑷寸殑瀹夊叏闅愭偅銆

1.2 Python Web寮鍙戞鏋剁畝浠
1.2.1 Django鐨勫畨鍏ㄧ壒鎬
Django閬靛惊鈥滃畨鍏ㄤ紭鍏堚濈殑璁捐鐞嗗康锛屽湪榛樿閰嶇疆涓泦鎴愪簡澶氶」瀹夊叏鍔熻兘锛屾瘮濡傞槻姝QL娉ㄥ叆鐨凮RM锛堝璞″叧绯绘槧灏勶級绯荤粺銆丆SRF淇濇姢銆乆SS闃插尽浠ュ強涓ユ牸鐨勮韩浠介獙璇佸拰鎺堟潈鏈哄埗銆傚紑鍙戣呭彲浠ラ氳繃绠鍗曠殑璁剧疆鍗冲彲鍚敤杩欎簺瀹夊叏鐗规э紝鏃犻渶浠庨浂寮濮嬭璁″畨鍏ㄦ柟妗堛

浠g爜鐗囨灞曠ず锛

# Django涓惎鐢–SRF闃叉姢
INSTALLED_APPS = [
    # ...
    'django.middleware.csrf.CsrfViewMiddleware',
]

# 浣跨敤Django ORM杩涜瀹夊叏鏌ヨ
from django.db import models

class Product(models.Model):
    name = models.CharField(max_length=255)

    def safe_search(self, query):
        return self.objects.filter(name__icontains=query)  # ORM浼氳嚜鍔ㄨ浆涔夋煡璇㈠弬鏁
1.2.2 Flask鍜屽叾浠栨祦琛屾鏋剁殑瀹夊叏瀹炶返
Flask浣滀负杞婚噺绾х殑Web妗嗘灦锛岃櫧鐒堕粯璁ゆ儏鍐典笅鎻愪緵鐨勫畨鍏ㄥ姛鑳戒笉濡侱jango鍏ㄩ潰锛屼絾鍙氳繃鎵╁睍鎻掍欢鏉ュ寮哄畨鍏ㄦэ紝濡侳lask-SQLAlchemy鍙互甯姪澶勭悊SQL娉ㄥ叆闂锛岃孎lask-WTF鍒欐敮鎸佽〃鍗曢獙璇佸拰CSRF浠ょ墝绠$悊銆

Flask瀹夊叏瀹炶返绀轰緥锛

from flask_sqlalchemy import SQLAlchemy
from flask_wtf.csrf import CSRFProtect
from flask import Flask

app = Flask(__name__)
app.config['SECRET_KEY'] = 'your_secret_key_here'
csrf = CSRFProtect(app)

db = SQLAlchemy(app)

# 浣跨敤Flask-WTF鍒涘缓鍙桟SRF淇濇姢鐨勮〃鍗
class LoginForm(FlaskForm):
    username = StringField('Username', validators=[DataRequired()])
    password = PasswordField('Password', validators=[DataRequired()])
    submit = SubmitField('Sign In')

# 鍦ㄨ鍥惧嚱鏁颁腑澶勭悊POST璇锋眰鏃舵鏌SRF浠ょ墝
@app.route('/login', methods=['POST'])
def login():
    form = LoginForm()
    if form.validate_on_submit():
        # CSRF浠ょ墝楠岃瘉鍦ㄦ杩囩▼涓嚜鍔ㄥ畬鎴
        # 杩涜鍚庣画鐨勭敤鎴峰悕鍜屽瘑鐮侀獙璇侀昏緫...
閫氳繃杩欐牱娣卞叆娴呭嚭鐨勪粙缁嶏紝骞剁粨鍚堝疄闄呭簲鐢ㄥ満鏅拰浠g爜绀轰緥锛屼笉浠呭彲浠ョ悊瑙eb瀹夊叏涓轰綍濡傛鍏抽敭锛屼篃鑳界洿瑙傛劅鍙楀埌Python鍦╓eb瀹夊叏闃叉姢涓婄殑寮哄ぇ鑳藉姏涓庝究鍒╂э紝浠庤屾縺鍙戣繘涓姝ユ帰绱㈠拰瀹炶返Web瀹夊叏闃叉姢鐨勭儹鎯呫


绗2绔狅細SQL娉ㄥ叆鏀诲嚮鍙婂叾闃茶寖
2.1 SQL娉ㄥ叆鍘熺悊涓庡疄渚嬪垎鏋
2.1.1 涓嶅畨鍏ㄦ煡璇㈢殑鍗卞
鎯宠薄涓涓嬩綘鏄竴鍚嶄睛鎺紝鍦ㄧ嚎绱㈡澘涓婂啓涓嬩簡涓涓叉湭閿佸畾鐨勬煡璇㈡寚浠わ細鈥滄壘鍑哄悕鍙'John Doe'鐨勫珜鐤戜汉鈥濄傝繖鏃讹紝鐙$尵鐨勫鎵嬪伔鍋风鏀逛簡鎸囦护锛屼娇鍏跺彉鎴愪簡鈥滄壘鍑哄悕鍙'John Doe'鎴栨墍鏈夐摱琛屽崱淇℃伅鐨勫珜鐤戜汉鈥濓紝鍘熸湰鏃ㄥ湪瀵绘壘鍗曚竴瀚岀枒浜虹殑绠鍗曟煡璇㈢灛闂村彉鎴愪簡涓鍦烘暟鎹硠婕忓嵄鏈恒傝繖灏辨槸SQL娉ㄥ叆鏀诲嚮鐨勫熀鏈師鐞嗏斺旀敾鍑昏呴氳繃鍚慦eb搴旂敤鎻愪氦鎭舵剰鏋勯犵殑杈撳叆鏁版嵁锛屾敼鍙樹簡鍘熷SQL鏌ヨ璇彞鐨勯昏緫锛屼粠鑰岃幏鍙栨湭缁忔巿鏉冪殑淇℃伅鎴栨墽琛岄潪娉曟搷浣溿

瀹炰緥璇存槑锛 鍋囪鎴戜滑鏈変竴涓畝鍗曠殑鐧诲綍鎺ュ彛锛屾帴鏀剁敤鎴峰悕鍜屽瘑鐮佽繘琛屾暟鎹簱鏌ヨ锛

username = request.args.get('username')
password = request.args.get('password')
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
# 鎵цSQL鏌ヨ...
鏀诲嚮鑰呭彲浠ュ皾璇曡緭鍏 ' OR '1'='1 浣滀负鐢ㄦ埛鍚嶏紝浠讳綍瀵嗙爜閮借兘鎴愬姛鐧诲綍锛屽洜涓虹敓鎴愮殑SQL璇彞鍙樻垚浜 SELECT * FROM users WHERE username='' OR '1'='1' AND password='...'锛岃繖涓潯浠跺缁堜负鐪燂紝杩涜屾彮绀烘墍鏈夌敤鎴风殑璁板綍銆

2.1.2 Python涓埄鐢∣RM闃叉SQL娉ㄥ叆
Python涓祦琛岀殑ORM锛堝璞″叧绯绘槧灏勶級妗嗘灦锛屽SQLAlchemy鍜孌jango ORM锛屼负闃叉SQL娉ㄥ叆鎻愪緵浜嗗己澶х殑瀹夊叏淇濋殰銆傚畠浠皢SQL鏌ヨ涓庢暟鎹垎绂伙紝閫氳繃鍙傛暟鍖栨煡璇㈢殑鏂瑰紡纭繚搴旂敤绋嬪簭浼犻掔粰鏁版嵁搴撶殑鏄粡杩囨纭鐞嗙殑鏁版嵁鑰岄潪鍙绡℃敼鐨勫瓧绗︿覆銆

Python ORM瀹夊叏绀轰緥锛堜娇鐢⊿QLAlchemy锛夛細

from sqlalchemy import create_engine, Table, MetaData, select, bindparam

engine = create_engine('sqlite:///mydatabase.db')  # 杩炴帴鏁版嵁搴
metadata = MetaData()
users_table = Table('users', metadata, autoload_with=engine)  # 鍔犺浇琛ㄧ粨鏋

# 瀹夊叏鐨勫弬鏁板寲鏌ヨ
stmt = select(users_table).where(users_table.c.username == bindparam('username')).where(users_table.c.password == bindparam('password'))
with engine.connect() as connection:
    result = connection.execute(stmt, {'username': request.args.get('username'), 'password': request.args.get('password')})
    # 澶勭悊鏌ヨ缁撴灉...
鍦ㄨ繖涓緥瀛愪腑锛宐indparam 灏嗘煡璇㈠弬鏁版槑纭爣璁颁负鍗犱綅绗︼紝褰撴墽琛屾煡璇㈡椂锛孫RM浼氳嚜鍔ㄥ浼犲叆鐨勫艰繘琛屾纭殑杞箟鍜岀被鍨嬪鐞嗭紝鍗充娇鏀诲嚮鑰呰瘯鍥炬敞鍏QL浠g爜锛屼篃浼氳褰撲綔鏅氭暟鎹寰咃紝浠庤岄伩鍏嶄簡SQL娉ㄥ叆鐨勫彂鐢熴

2.2 Python涓璖QL娉ㄥ叆闃茶寖鎺柦璇﹁В
2.2.1 鍙傛暟鍖栨煡璇
鍙傛暟鍖栨煡璇㈡槸鍦ㄦ墽琛孲QL鍛戒护鏃讹紝灏嗗彉閲忛儴鍒嗕互鍙傛暟褰㈠紡浼犻掔粰鏁版嵁搴揂PI鑰屼笉鏄洿鎺ユ嫾鎺ュ埌SQL瀛楃涓蹭腑銆傝繖鏍锋暟鎹簱寮曟搸浼氳礋璐e鐞嗗弬鏁扮殑杞箟鍜岀被鍨嬭浆鎹紝纭繚鎭舵剰鏁版嵁涓嶄細褰卞搷鏌ヨ缁撴瀯銆

2.2.2 浣跨敤棰勭紪璇慡QL璇彞
棰勭紪璇慡QL璇彞锛圥repared Statements鎴朠reparedStatement锛夋槸涓绉嶆彁鍓嶅噯澶嘢QL妯℃澘骞跺娆℃墽琛岀殑鎶鏈紝姣忔鎵ц鏃舵浛鎹笉鍚岀殑鍙傛暟銆侾ython鐨凞B-API鍏煎鏁版嵁搴撻┍鍔ㄩ氬父閮芥敮鎸侀缂栬瘧璇彞锛屽彲浠ユ樉钁楀噺灏慡QL娉ㄥ叆鐨勯闄┿

# MySQL Connector/Python 绀轰緥
import mysql.connector

cnx = mysql.connector.connect(user='your_username', password='your_password', database='your_db')
cursor = cnx.cursor(prepared=True)

query = "SELECT * FROM users WHERE username = %s AND password = %s"
cursor.execute(query, ('attacker_input', 'attacker_input'))  # 鍗充娇杈撳叆鍖呭惈鎭舵剰SQL锛屼篃浼氳姝g‘澶勭悊
2.2.3 鏁版嵁楠岃瘉涓庢竻鐞
闄や簡浣跨敤鍙傛暟鍖栨煡璇紝鍓嶇鍜屽悗绔兘闇瑕佸鐢ㄦ埛杈撳叆杩涜涓ユ牸鐨勯獙璇佸拰娓呯悊銆備緥濡傦紝瀵圭敤鎴峰悕鍜屽瘑鐮侀暱搴﹂檺鍒讹紝涓嶅厑璁稿寘鍚壒娈婂瓧绗︾瓑锛屽敖绠¤繖涓嶆槸缁濆闃叉SQL娉ㄥ叆鐨勬湁鏁堟墜娈碉紝浣嗗湪鏁翠綋瀹夊叏绛栫暐涓篃鏄繀涓嶅彲灏戠殑涓鐜紝鑳藉闄嶄綆娉ㄥ叆鏀诲嚮鐨勫彲鑳芥э紝骞舵彁楂樺簲鐢ㄧ殑鏁翠綋鍋ュ.鎬с


绗3绔狅細璺ㄧ珯鑴氭湰(XSS)鏀诲嚮涓庨槻鎶
3.1 XSS鏀诲嚮绫诲瀷涓庡嵄瀹
3.1.1 瀛樺偍鍨媂SS涓庡弽灏勫瀷XSS鐨勫尯鍒
鎯宠薄涓涓嬶紝浣犲湪涓寮犲叕鍏辩暀瑷鏉夸笂鐣欎笅浜嗕竴鏉℃秷鎭紝杩欐潯娑堟伅鍗磋鎭舵剰绡℃敼锛屽綋鍒汉鏌ョ湅浣犵殑鐣欒█鏃讹紝浠栦滑鐨勬祻瑙堝櫒绔熸墽琛屼簡闅愯棌鍦ㄧ暀瑷涓殑鎭舵剰JavaScript浠g爜銆傝繖灏辨槸璺ㄧ珯鑴氭湰鏀诲嚮锛圕ross-site Scripting, XSS锛夌殑涓绉嶅吀鍨嬪満鏅

瀛樺偍鍨媂SS锛氳繖绉嶇被鍨嬬殑鏀诲嚮娑夊強灏嗘伓鎰忚剼鏈案涔呭瓨鍌ㄥ湪鏈嶅姟鍣ㄧ锛屾瘮濡備繚瀛樺湪鏁版嵁搴撴垨缂撳瓨涓備竴鏃︽敾鍑昏剼鏈瀛樺偍锛屼换浣曡闂惈鏈夎鑴氭湰椤甸潰鐨勭敤鎴烽兘浼氳Е鍙戞墽琛屻備緥濡傦紝涓涓伓鎰忕敤鎴峰彲鑳藉湪涓汉绠浠嬩腑鎻掑叆鎭舵剰鑴氭湰锛屽綋鍏朵粬鐢ㄦ埛鏌ョ湅璇ョ敤鎴风殑涓婚〉鏃讹紝鑴氭湰浼氬湪浠栦滑鐨勬祻瑙堝櫒涓墽琛岋紝鍙兘鐩楀彇浠栦滑鐨刢ookies鎴栬呭叾浠栨晱鎰熶俊鎭

鍙嶅皠鍨媂SS锛氫笌瀛樺偍鍨嬩笉鍚岋紝鍙嶅皠鍨媂SS鏀诲嚮骞朵笉浼氬湪鏈嶅姟鍣ㄧ鐣欎笅鐥曡抗锛岃屾槸灏嗘伓鎰忚剼鏈祵鍏ュ湪URL鎴栧叾浠栫敤鎴峰彲鎺у埗鐨勫弬鏁颁腑锛屽綋鍙楀鑰呯偣鍑讳簡绮惧績鏋勯犵殑閾炬帴鏃讹紝鏈嶅姟鍣ㄦ帴鏀跺埌璇锋眰鍚庡皢鏀诲嚮鑴氭湰鍙嶅皠鍥炵敤鎴风殑娴忚鍣ㄤ腑鎵ц銆傛瘮濡傦紝涓灏侀挀楸奸偖浠朵腑鐨勬伓鎰忛摼鎺ワ紝褰撶敤鎴风偣鍑诲悗锛屾敾鍑昏剼鏈珛鍗宠鎵ц锛屽彲鑳藉鑷磋处鎴峰姭鎸佹垨鍏朵粬瀹夊叏闂銆

3.1.2 瀹為檯鏀诲嚮妗堜緥瑙f瀽
鍋囪鏈夎繖鏍蜂竴涓猈eb搴旂敤锛屽厑璁哥敤鎴烽氳繃GET鍙傛暟鎼滅储鏂伴椈鏍囬銆備笉瀹夊叏鐨勪唬鐮佸彲鑳芥槸杩欐牱鐨勶細

@app.route('/search')
def search():
    keyword = request.args.get('q')
    result = search_news_database(keyword)
    return render_template('results.html', results=result, keyword=keyword)
鏀诲嚮鑰呭彲鑳戒細鏋勯犺繖鏍风殑URL骞惰瀵肩敤鎴风偣鍑伙細

https://example.com/search?q=

褰撶敤鎴风偣鍑昏閾炬帴鍚庯紝鐢变簬鏈嶅姟鍣ㄧ洿鎺ュ皢q鍙傛暟鎻掑叆鍒颁簡HTML椤甸潰涓紝娴忚鍣ㄤ細鎵ц

浠ヤ笂灏辨槸Python寮鍙戠殑缃戠珯Web瀹夊叏锛氶槻鑼冨父瑙佺殑缃戠粶鏀诲嚮鐨勮缁嗗唴瀹癸紝鏇村淇℃伅璇峰叧娉∣D浜戝叾瀹冪浉鍏虫枃绔狅紒



鏈枃URL锛http://www.odweb.cn/news_show.html?id=430