Python sql注入 过滤字符串的非法字符

#coding:utf8
#在开发过程中，要对前端传过来的数据进行验证，防止sql注入攻击，其中的一个方案就是过滤用户传过来的非法的字符


def sql_filter(sql, max_length=20):
    dirty_stuff = ["\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">", "+", "%", "$", "(", ")", "%", "@","!"]
    for stuff in dirty_stuff:
        sql = sql.replace(stuff, "")
    return sql[:max_length]


username = "1234567890!@#!@#!@#$%======$%"

username = sql_filter(username)  # SQL注入
print username

# 输出结果是:1234567890