sql注入之采用手动拼接的情况

import pymysql conn = pymysql.connect( user='root', password='zx360828htc', host='localhost', port=3306, charset='utf8', database='test' ) cursor = conn.cursor(cursor=pymysql.cursors.DictCursor) movieid = input('username>>').strip() moviename = input('password>>').strip() sql = "select * from movie where movieid = '%s' and moviename = '%s'" % (movieid, moviename) # sql = 'select * from user_info where name = "%s" and password = "%s"' % (username, password) # select * from user_info where name = "张三' -- fhjkasdhfkla" and password = "" 外层使用单引号出不来效果 print(sql) cursor.execute(sql) res = cursor.fetchall() if res: print(res) else: print('username or password error!')
posted @ 2020-09-24 21:59  HackerEarl  阅读(260)  评论(0编辑  收藏  举报