MySQL参数化查询 [英] MySQL parameterized queries

问题描述

我很难使用MySQLdb模块将信息插入到我的数据库中.我需要在表中插入6个变量.

I am having a hard time using the MySQLdb module to insert information into my database. I need to insert 6 variables into the table.

cursor.execute ("""
    INSERT INTO Songs (SongName, SongArtist, SongAlbum, SongGenre, SongLength, SongLocation)
    VALUES
        (var1, var2, var3, var4, var5, var6)

""")

有人可以在这里帮助我吗?

Can someone help me with the syntax here?

推荐答案

提防对SQL查询使用字符串插值，因为它不能正确地转义输入参数，并使您的应用程序容易受到SQL注入漏洞的影响. 这种差异看似微不足道，但实际上是巨大的.

Beware of using string interpolation for SQL queries, since it won't escape the input parameters correctly and will leave your application open to SQL injection vulnerabilities. The difference might seem trivial, but in reality it's huge.

c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s" % (param1, param2))

正确(带有转义符)

c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s", (param1, param2))

这增加了混乱，用于绑定SQL语句中的参数的修饰符在不同的DB API实现之间有所不同，并且mysql客户端库使用printf样式语法而不是更普遍接受的'?'标记(例如，python-sqlite使用).

It adds to the confusion that the modifiers used to bind parameters in a SQL statement varies between different DB API implementations and that the mysql client library uses printf style syntax instead of the more commonly accepted '?' marker (used by eg. python-sqlite).

这篇关于MySQL参数化查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！