这不起作用–更新无效:
command = "select content from blog where slug = 'meow'; update account_balance set balance=200 where id=1; select 1 from blog;"
content = db.engine.scalar(command)
切换语句将执行更新并成功选择:
command = "update account_balance set balance=200 where id=1; select content from blog where slug = 'meow';"
content = db.engine.scalar(command)
为什么第一个不起作用?它可以在Pgadmin中工作。我用Flask-Sqlalchemy启用了自动提交。
我正在举办有关SQL注入的研讨会,所以请不要重写解决方案!