Python 字符串拼接 sql ,造成 sql 注入例子

簡單的 userinfo 表

**字符串拼接 sql **

import pymysql

# 測試環境的數據庫連接
conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
cursor = conn.cursor()

# 字符串拼接sql，用戶名和密碼都是亂寫
sql = 'select username, password from userinfo where username="%s" and password="%s"'
sql = sql %('yy" or 1=1 -- ', '11111')
cursor.execute(sql)
r = cursor.fetchone()
print(r)

cursor.close()
conn.close()

# 運行結果，正確取到數值
('klvchen', '123456')

正常的寫法

# __author__:"klvchen"
# date: 2018/12/12
import pymysql

conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
cursor = conn.cursor()

cursor.execute('select username, password from userinfo where username=%s and password=%s', ('yy" or 1=1 -- ', '11111'))
r = cursor.fetchone()
print(r)

cursor.close()
conn.close()

# 運行結果，沒有取到數值
None