sql注入之交给pymysql的execute进行处理
import pymysql conn = pymysql.connect( user='root', password='zx360828htc', host='localhost', port=3306, charset='utf8', database='test' ) cursor = conn.cursor(cursor=pymysql.cursors.DictCursor) movieid = input('movieid>>').strip() moviename = input('moviename>>').strip() # sql = "select * from user_info where name = '%s' and password = '%s'" % (username, password) # sql = 'select * from user_info where name = "%s" and password = "%s"' % (username, password) # select * from user_info where name = "张三' -- fhjkasdhfkla" and password = "" 外层使用单引号出不来效果 sql = "select * from movie where movieid = %s and moviename = %s" print(sql) # cursor.execute(sql) cursor.execute(sql, (movieid, moviename)) res = cursor.fetchall() if res: print(res) else: print('username or password error!')
免责声明!
本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。