sql注入之交给pymysql的execute进行处理

import pymysql conn = pymysql.connect( user='root', password='zx360828htc', host='localhost', port=3306, charset='utf8', database='test' ) cursor = conn.cursor(cursor=pymysql.cursors.DictCursor) movieid = input('movieid>>').strip() moviename = input('moviename>>').strip() # sql = "select * from user_info where name = '%s' and password = '%s'" % (username, password) # sql = 'select * from user_info where name = "%s" and password = "%s"' % (username, password) # select * from user_info where name = "张三' -- fhjkasdhfkla" and password = "" 外层使用单引号出不来效果 sql = "select * from movie where movieid = %s and moviename = %s" print(sql) # cursor.execute(sql) cursor.execute(sql, (movieid, moviename)) res = cursor.fetchall() if res: print(res) else: print('username or password error!')
posted @ 2020-09-24 22:05  HackerEarl  阅读(1151)  评论(0编辑  收藏  举报