pymysql
連接mysql
import pymysql mysql_addres = { "host": "localhost", "user": "root", "password": "123456", "charset": "utf8" } conn = pymysql.connect(**mysql_addres) # 連接數據庫 status = conn.server_status # 判斷數據庫連接是否異常。 if status: print("連接數據庫異常!") return status cursor = con.cursor(pymysql.cursors.DictCursor) # pymysql.cursors.DictCursor 返回數據為({},{},{},)。好處在於返回的結果帶數據類型 use_database = "use day40_3_zuoye" sql1 = "select * from course" cursor.execute(use_database) # 執行sql cursor.execute(sql1) # 執行sql res = cursor.fetchall() # 查詢結果 res1 = cursor.fetchall() # 游標已經到最后了,此時取結果是取不到的。需要移動游標 cursor.scroll(-1,mode="relative") # mode:relative或者absolute ,relative相對路徑,從游標的位置進行移動,單位為負數。absolute絕對路徑從最開始的地方進行偏移,單位為正數。sql注入攻擊
sql注入指的是,用戶在輸入數據時,按照sql的語法,來編寫帶有攻擊目的的sql語句,並插入到原始語句中執行.
例如:登錄功能,需要用戶輸入用戶名和密碼
import pymysql try: mysql_addres = { "host": "localhost", "user": "root", "password": "123456", "charset": "utf8" } conn = pymysql.connect(**mysql_addres) # 連接數據庫 user = input("username:") password = input("password:") count = cursor.execute("select *from user where name = '%s' and password = '%s'" % (user,password)) if count: print("登錄成功!") else: print("登錄失敗!") except Exception as e: print(type(e),e) finally: if cursor:cursor.close() if conn: conn.close()上述代碼有被注入攻擊的危險
嘗試在用戶名中輸入一下內容,密碼隨意
嘗試在用戶名中輸入以下內容,密碼隨意 jerry' — ass 或者連用戶名都不用寫 ' or 1 = 1 -- asaa解決方法:
客戶端在發送sql給服務器前進行re判斷
這樣的問題在於一些程序可以模擬客戶端直接發送請求給服務器
在服務器端將sql交給mysql是作進一步處理,相關的代碼其實pymysql已經做了封裝
我們只要保證不要自己來拼接sql語句即可,將拼接參數操作交給pymysql.
import pymysql try: conn = pymysql.connect(host="127.0.0.1",port=3306,user="root",password="",db="day46",) print("連接服務器成功!") cursor = conn.cursor(pymysql.cursors.DictCursor) user = input("username:") password = input("password:") sql = "select *from user where name = %s and password = %s" print(sql) count = cursor.execute(sql,(user,password)) # 參數交給模塊 if count: print("登錄成功!") else: print("登錄失敗!") except Exception as e: print(type(e),e) finally: if cursor:cursor.close() if conn: conn.close()pymysql增刪改查
pymysql默認開啟了事務
# 開啟了事務 def test(): mysql_addres = { "host": "localhost", "user": "root", "password": "123456", "charset": "utf8", "db":"test", "autocommit":False # 默認為False } con = pymysql.connect(**mysql_addres) cursor = con.cursor(pymysql.cursors.DictCursor) # 轉賬業務,張三需要跟李四轉賬500塊錢。 sql1 = "update plf set money = money - 500 where name = %s" cursor.execute(sql1,("張三",)) sql2 = "update plf set money = money + 500 where name = %s" cursor.execute(sql2, ("李四",)) con.commit() cursor.close() con.close() test()pymysql 不開啟事務
def test_one(): mysql_addres = { "host": "localhost", "user": "root", "password": "123456", "charset": "utf8", "db":"test", "autocommit":True # 默認為False } con = pymysql.connect(**mysql_addres) cursor = con.cursor(pymysql.cursors.DictCursor) try: # 轉賬業務,張三需要跟李四轉賬500塊錢。 cursor.execute("start transaction") sql1 = "update plf set money = money - 500 where name = %s" cursor.execute(sql1,("張三",)) sql2 = "update plf set money = money + 500 where name = %s" cursor.execute(sql2, ("李四",)) cursor.execute("commit") cursor.close() con.close() except Exception as e: con.rollback() test_one()增刪改
import pymysql # 1.建立連接 try: conn = pymysql.connect(host="127.0.0.1",port=3306,user="root",password="",db="day46",) print("連接服務器成功!") cursor = conn.cursor(pymysql.cursors.DictCursor) #增 #sql = "insert into user values(null,%s,%s,%s)" #count = cursor.execute(sql,("tom","man","123321")) # 一次性插入多條記錄 #sql = "insert into user values (null,%s,%s,%s)" #count = cursor.executemany(sql, [("周芷若","woman","123"), ("趙敏","woman","321")]) #刪 # count = cursor.execute("delete from user where id = 1") #改 count = cursor.execute("update user set name = '劉大炮' where id = 1") if count: print("執行成功!") else: print("執行失敗!") # 獲取最新的id # print(cursor.lastrowid) except Exception as e: print(type(e),e) finally: if cursor:cursor.close() if conn: conn.close()