pymysql模块使用,进行增删改查以及sql注入问题

pymysql的基本使用
import pymysql

conn = pymysql.connect(
    user='root',
    password='555',
    host='127.0.0.1',
    port=3306,
    charset='utf8',
    database='oldboy_edu',
)

# 产生一个游标的对象
cursor = conn.cursor()
sql = 'select*from user_info as t1'
res = cursor.execute(sql)
print(res)
ret = cursor.fetchall()
print(type(ret))
print(ret)

结果:
3
<class 'tuple'>
((1, 'yyx', '12'), (2, 'yyh', '98'), (3, None, None))


import pymysql

conn = pymysql.connect(
    user='root',
    password='555',
    host='127.0.0.1',
    port=3306,
    charset='utf8',
    database='oldboy_edu',
)

# 产生一个游标的对象, 括号内是为了将查询出来的结果给制作成字典的形式返回
cursor = conn.cursor(pymysql.cursors.DictCursor)
sql = 'select*from user_info as t'
# 执行sql语句
res = cursor.execute(sql)
# 返回的是当前sql所影响的行数  数据类型是整型
print(res)
# 获取查询结果中的所有的数据 数据类型是元组套元组
# ret = cursor.fetchall()
# print(ret)
# 只获取查询结果中的一条数据 数据类型是字典
# print(cursor.fetchone())
# 获取指定几条数据,如果数字超了也不会报错 数据类型是列表套字典
# print(cursor.fetchmany(8))


# 这里要注意,如果现先有fetchone,fetchall就会跟着后面查询
# print(cursor.fetchone())
# print(cursor.fetchone())
# print(cursor.fetchmany())


print(cursor.fetchone())
# 相对移动 这里要注意, 基于指针所在的位置往后偏移
# cursor.scroll(1, 'relative')
# 绝对偏移 基于起始位置 往后偏移
cursor.scroll(1, 'absolute')
print(cursor.fetchall())


sql注入问题
import pymysql

conn = pymysql.connect(
    user='root',
    password='555',
    host='127.0.0.1',
    port=3306,
    charset='utf8',
    db='oldboy_edu',
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
username = input('username:').strip()
password = input('password:').strip()
sql = "select *from user where name = '%s' and password = '%s " % (username, password)
print(sql)
cursor.execute(sql)
res = cursor.fetchall()
if res:
    print(res)
else:
    print('username or password error!')
	
    
    问题一:
username:yyx' -- dadadasdad.da.da
password:
select *from user where name = 'yyx' -- dadadasdad.da.da' and password = ' 
[{'id': 1, 'name': 'yyx', 'password': '123', 'age': 21, 'address': '上海'}]

问题二:
username:' or 1=1 -- adada.dad.ad.ada
password:
select *from user where name = '' or 1=1 -- adada.dad.ad.ada' and password = ' 
[{'id': 1, 'name': 'yyx', 'password': '123', 'age': 21, 'address': '上海'}, {'id': 2, 'name': '小白边', 'password': '456', 'age': 25, 'address': '北京'}]


sql问题:

​ 利用特殊符号和注释语法, 巧妙的绕过真正的sql校验

所以关键的数据 不需要自己动手去拼接 而是交由excute帮你去做拼接

# 改良以后的代码
import pymysql

conn = pymysql.connect(
    user='root',
    password='555',
    host='127.0.0.1',
    port=3306,
    charset='utf8',
    database='oldboy_edu',
)

# 新建游标
cursor = conn.cursor(pymysql.cursors.DictCursor)
username = input('username:').strip()
password = input('password').strip()
sql = "select *from user where name='%s' and password = '%s' "
cursor.execute(sql, (username, password))
res = cursor.fetchall()
if res:
    print(res)
else:
    print('username or password error!')

解决了sql注入的问题:
	username:' or 1=1 -- dada.daada.da
    password:
    username or password error!
    
    ===============================
    
    username:yyx' -- dada.dad.ada.d
    password:
    username or password error!
	
    
数据的增删改

针对增删改操作,执行程度相对偏高

所有要想对其操作, 必须要一步的确认操作

两种方式:

​ 第一:在conn中添加autocommit=True;

​ 第二:在excute后面加上conn.commint()

import pymysql

conn = pymysql.connect(
    user='root',
    password='555',
    host='127.0.0.1',
    port=3306,
    charset='utf8',
    db='oldboy_edu',
    autocommit=True,

)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
# username = input('username:').strip()
# password = input('password').strip()
# 增加
# sql = "insert into user (name, password, age, address) values('yyh','456',87,'上海')"
# 修改
# sql = "update user set name = 'yyxnb' where id = 3"
# 删除
sql = "delete from user where id =1"

res = cursor.execute(sql)
print(res)


posted @ 2019-12-17 00:19  godlover  阅读(161)  评论(0编辑  收藏  举报