- 1v22.03 鸿蒙内核源码分析(汇编基础) | CPU上班也要打卡 | 百篇博客分析HarmonyOS源码_鸿蒙系统虚拟上班打卡
- 2电商后台管理系统的项目优化_电商后台商品管理功能怎么优化
- 3微信小程序的分享配置onShareAppMessage_shareappmessage:ok
- 4uniapp中的Tabbar中间突起样式,并且绑定点击方法_uniapp对tabber绑定点击事件
- 5actor-critic 相关算法简述_actorcritic算法的active网络与target网络
- 6业务数据同步工具NiFi介绍和使用
- 7卢辉《数据挖掘与数据化运营实战:思路、方法、技巧和应用》第一遍 读书笔记_引用《数据挖掘与数据化运营实战》 — 卢辉
- 8ROS2——通过launch文件启动一个节点_launch。py文件中启动节点
- 9《软件工程》张秋余等著 部分习题答案_软件工程张秋余课后答案
- 1010.16 杭州银行笔试面经 - 编程题 &; 题解_杭州银行笔试面经 - 编程题 && 题解
python使用mysql,防止SQL注入_pymysql防止sql注入
赞
踩
python使用mysql,防止SQL注入
import pymysql # %s sql注入 from pymysql import escape_string def read_data0(): # name = "张三' or 1=1 #" gender = "woman' or 1=1 #" sql = """ select * from my_students where ms_gender ='%s' """ % gender try: conn = pymysql.Connect(host="127.0.0.1", port=3306, user="root", password="admin123", db="my_test") cursor = conn.cursor() cursor.execute(sql) data = cursor.fetchall() print("data0", data) cursor.close() conn.close() except Exception as e: print(e.__str__()) # %s 防止sql注入 # 把直接拼接的条件变量放入集合再把集合带入执行SQL的方法,就可以避免被注入的风险 def read_data1(): # name = "张三" # gender = "woman " gender = "woman 'or 1=1 #" params = [] params.append(gender) sql = """ select * from my_students where ms_gender =%s""" try: conn = pymysql.Connect(host="127.0.0.1", port=3306, user="root", password="admin123", db="my_test") cursor = conn.cursor() cursor.execute(sql, params) data = cursor.fetchall() print("data1", data) cursor.close() conn.close() except Exception as e: print(e.__str__()) # .format sql注入 def read_data2(): # name = "张三' or 1=1 #" gender = "woman' or 1=1 #" sql = """ select * from my_students where ms_gender ='{}' """ try: conn = pymysql.Connect(host="127.0.0.1", port=3306, user="root", password="admin123", db="my_test") cursor = conn.cursor() cursor.execute(sql.format(gender)) data = cursor.fetchall() print("data2", data) cursor.close() conn.close() except Exception as e: print(e.__str__()) # 防止sql注入 # 不要在SQL中拼接参数,字符转义只会针对参数args # orm框架都使用pymysql/MySQL-python等库,并且都使用execute(query,args)调用,将sql和参数分开传 def read_data3(): name = "张三' or 1=1 #" # name = "张三" gender = "man" params = [] params.append(name) params.append(gender) # gender = "woman ' or 1=1 #" sql = """ select * from my_students where ms_name =%s and ms_gender = %s""" print(sql) try: conn = pymysql.Connect(host="127.0.0.1", port=3306, user="root", password="admin123", db="my_test") cursor = conn.cursor() cursor.execute(sql, params) data = cursor.fetchall() print("data3", data) cursor.close() conn.close() except Exception as e: print(e.__str__()) read_data0() read_data1() read_data2() read_data3()
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
运行结果:
data0 ((1, ‘h202201’, ‘man’, ‘张三’, ‘01班’, 1, datetime.datetime(2022, 6, 13, 8, 59, 55), datetime.datetime(2022, 4, 12, 8, 59, 55, 668494)), (2, ‘h202202’, ‘woman’, ‘李四’, ‘01班’, 1, datetime.datetime(2022, 6, 13, 9, 0, 12), datetime.datetime(2022, 4, 12, 9, 0, 12, 917042)), (3, ‘h202203’, ‘man’, ‘王五’, ‘01班’, 1, datetime.datetime(2022, 6, 14, 9, 0, 33), datetime.datetime(2022, 4, 12, 9, 0, 33, 384853)))
data1 ()
data2 ((1, ‘h202201’, ‘man’, ‘张三’, ‘01班’, 1, datetime.datetime(2022, 6, 13, 8, 59, 55), datetime.datetime(2022, 4, 12, 8, 59, 55, 668494)), (2, ‘h202202’, ‘woman’, ‘李四’, ‘01班’, 1, datetime.datetime(2022, 6, 13, 9, 0, 12), datetime.datetime(2022, 4, 12, 9, 0, 12, 917042)), (3, ‘h202203’, ‘man’, ‘王五’, ‘01班’, 1, datetime.datetime(2022, 6, 14, 9, 0, 33), datetime.datetime(2022, 4, 12, 9, 0, 33, 384853)))
select * from my_students where ms_name =%s and ms_gender = %s
data3 ()
Process finished with exit code 0
