【Python】pymysq sql 注入问题

注入问题:
用户通过输入带注释或者逻辑判断的语句影响数据库数据的比对,一次漏洞作出额外的操作

import pymysql

usr = input('user:').strip()
psw = input('password:').strip()

conn = pymysql.connect(
    host='127.0.0.1',
    port=3306,
    user='caya',
    password='123',
    db='db1',
    charset='utf8'
)

# 拿到游标
cursor = conn.cursor()

# 执行SQL语句''
# 用户输入caya" -- xxx  会导致-- 后面的内容都识别为注释,导致认证强制成功
# sql = 'select * from userinfo where user = "%s" and psw="%s"' % (usr, psw)
sql = 'select * from userinfo where user = %s and psw=%s'
# rows = cursor.execute(sql)
rows = cursor.execute(sql, (usr, psw))   # 采用自带的字符串拼接
cursor.close()
conn.close()

# 判断
if rows:
    print('login success')
else:
    print('login fail')