#coding:utf8 #在开发过程中,要对前端传过来的数据进行验证,防止sql注入攻击,其中的一个方案就是过滤用户传过来的非法的字符 def sql_filter(sql, max_length=20): dirty_stuff = [""", "\", "/", "*", "'", "=", "-", "#", ";", "<", ">", "+", "%", "$", "(", ")", "%", "@","!"] for stuff in dirty_stuff: sql = sql.replace(stuff, "") return sql[:max_length] username = "1234567890!@#!@#!@#$%======$%" username = sql_filter(username) # SQL注入 print username # 输出结果是:1234567890