[英]Securing a POST request on Flask
I built a simple Flask application that receives a POST request and performs some actions after receiving it.我构建了一个简单的 Flask 应用程序,它接收一个 POST 请求并在接收到它后执行一些操作。 Here is my simple code:
这是我的简单代码:
@app.route('/<user>/', methods=['POST'])
def Receiver(user):
Query = User.query.filter_by(token=user)
Content = request.data.decode('UTF-8')
Data = {'Content': Content, 'Username': Query.Username, 'UserID': Query.UserID}
return jsonify(Data)
I would like to make this code as safe as possible, but i'm just getting started to Flask and security in general.我想让这段代码尽可能安全,但我才刚刚开始使用 Flask 和一般的安全性。 What dangers can i run using this code?
使用此代码我会遇到什么危险? I'm using the variable
user
to make a query to my database, can it be harmful if that variable gets set to an SQL query, for example?我正在使用变量
user
对我的数据库进行查询,例如,如果将该变量设置为 SQL 查询,会不会有害? What other threats should i consider in this case?在这种情况下,我应该考虑哪些其他威胁?
Here some of my thoughts to your question:以下是我对您的问题的一些想法:
Just to add to what Marek said, would also recommend changing to a GET... As long as there's no sensitive information being passed along in the URL.只是为了补充 Marek 所说的内容,还建议更改为 GET ......只要 URL 中没有传递敏感信息。 This link nicely explains the differences.
这个链接很好地解释了这些差异。 It might be a good idea to look at encrypting the URL token string too, so that any parameters aren't passed over in plain text, as this leaves room for vulnerability.
考虑加密 URL 令牌字符串可能是一个好主意,这样任何参数都不会以纯文本形式传递,因为这为漏洞留下了空间。
Alongside this, if the site is to be made live- definitely ensure to use SSL encryption.除此之外,如果要使网站上线,请务必确保使用 SSL 加密。
In terms of SQL validation, you'll need to sanitize the input before it ever reaches the database.在 SQL 验证方面,您需要在输入到达数据库之前对其进行清理。 You can do this in Flask, simply by using the HTML escape special chars... But Flask provides their own function.
您可以在 Flask 中执行此操作,只需使用 HTML 转义特殊字符...但是 Flask 提供了自己的 ZC1C4140268E68A4747。 This link might help in that regard.
此链接可能在这方面有所帮助。
In terms of error handling, I found this tutorial mighty useful.在错误处理方面,我发现本教程非常有用。 That whole series of blog posts walks you right the way through.
整个系列的博客文章将引导您完成整个过程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.