sql注入之采用手动拼接的情况
import pymysql
conn = pymysql.connect(
user='root',
password='zx360828htc',
host='localhost',
port=3306,
charset='utf8',
database='test'
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
movieid = input('username>>').strip()
moviename = input('password>>').strip()
sql = "select * from movie where movieid = '%s' and moviename = '%s'" % (movieid, moviename)
# sql = 'select * from user_info where name = "%s" and password = "%s"' % (username, password)
# select * from user_info where name = "张三' -- fhjkasdhfkla" and password = "" 外层使用单引号出不来效果
print(sql)
cursor.execute(sql)
res = cursor.fetchall()
if res:
print(res)
else:
print('username or password error!')