python防止sql注入的方法:
1. 使用cursor.execute(sql, args)的參數位:
sql_str = "select * from py_msgcontrol.py_msgcontrol_file_base_info where file_name = %s" args = ["12';select now();"] conn = pymysql.connect(**conn_dic) cursor = conn.cursor() cursor.execute(sql_str, args)
cursor.execute函數將傳入的args中的特殊符號進行了轉義,從而防止了sql注入的問題。
注意點是要傳入sql語句的字符串占位用引號包起來會出錯,像這樣:
sql_str = "select * from py_msgcontrol.py_msgcontrol_file_base_info where file_name = '%s'"
報錯:
pymysql.err.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '12\\';select now();''' at line 1")
2. 使用pymysql.escape_string對參數進行轉義
args = pymysql.escape_string("12';select now();")
sql_str = "select * from py_msgcontrol.py_msgcontrol_file_base_info where file_name = '%s'" % args
conn = pymysql.connect(**conn_dic)
cursor = conn.cursor()
cursor.execute(sql_str)