sql注入之交给pymysql的execute进行处理
import pymysql
conn = pymysql.connect(
user='root',
password='zx360828htc',
host='localhost',
port=3306,
charset='utf8',
database='test'
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
movieid = input('movieid>>').strip()
moviename = input('moviename>>').strip()
# sql = "select * from user_info where name = '%s' and password = '%s'" % (username, password)
# sql = 'select * from user_info where name = "%s" and password = "%s"' % (username, password)
# select * from user_info where name = "张三' -- fhjkasdhfkla" and password = "" 外层使用单引号出不来效果
sql = "select * from movie where movieid = %s and moviename = %s"
print(sql)
# cursor.execute(sql)
cursor.execute(sql, (movieid, moviename))
res = cursor.fetchall()
if res:
print(res)
else:
print('username or password error!')