如何在Python中使用SQL语句中的变量?
如何在Python中使用SQL语句中的变量?
cursor.execute("INSERT INTO table VALUES var1, var2, var3,")var1var2 & var3
犯罪嫌疑人X浏览 3295回答 3
3回答
-
慕慕森
很多方法。别使用最明显的(%s带着%)在实际代码中,它对攻击.# Never do this -- insecure!symbol = 'RHAT'c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)# Do this insteadt = ('RHAT',)c.execute('SELECT * FROM stocks WHERE symbol=?', t)print c.fetchone()# Larger example that inserts many records at a timepurchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00), ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00), ('2006-04-06', 'SELL', 'IBM', 500, 53.00), ]c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)如果您需要更多的示例:# Multiple values single statement/executionc.execute('SELECT * FROM stocks WHERE symbol=? OR symbol=?', ('RHAT', 'MSO'))print c.fetchall()c.execute('SELECT * FROM stocks WHERE symbol IN (?, ?)', ('RHAT', 'MSO'))print c.fetchall()# This also works, though ones above are better as a habit as it's inline with syntax of executemany().. but your choice.c.execute('SELECT * FROM stocks WHERE symbol=? OR symbol=?', 'RHAT', 'MSO')print c.fetchall()# Insert a single itemc.execute('INSERT INTO stocks VALUES (?,?,?,?,?)', ('2006-03-28', 'BUY', 'IBM', 1000, 45.00)) -
交互式爱情
cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))注意,参数作为元组传递。数据库API对变量进行适当的转义和引用。小心不要使用字符串格式运算符(%),因为它不做任何逃避或引用。它容易受到不受控制的字符串格式攻击。
随时随地看视频慕课网APP
MySQL
Python