sql注入之交給pymysql的execute進行處理
import pymysql conn = pymysql.connect( user='root', password='zx360828htc', host='localhost', port=3306, charset='utf8', database='test' ) cursor = conn.cursor(cursor=pymysql.cursors.DictCursor) movieid = input('movieid>>').strip() moviename = input('moviename>>').strip() # sql = "select * from user_info where name = '%s' and password = '%s'" % (username, password) # sql = 'select * from user_info where name = "%s" and password = "%s"' % (username, password) # select * from user_info where name = "張三' -- fhjkasdhfkla" and password = "" 外層使用單引號出不來效果 sql = "select * from movie where movieid = %s and moviename = %s" print(sql) # cursor.execute(sql) cursor.execute(sql, (movieid, moviename)) res = cursor.fetchall() if res: print(res) else: print('username or password error!')
免責聲明!
本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。