Python SQL DB字符串文字和转义 [英] Python SQL DB string literals and escaping
问题描述
有人知道MySQLdb是否会自动转义SQL语句的字符串文字吗?
Anyone know if the MySQLdb will automatically escape string literals for SQL statements?
例如,我正在尝试执行以下操作:
For instance I am trying to execute the following:
cursor.execute("""SELECT * FROM `accounts` WHERE `account_name` = 'Blah'""")
这会自动转义帐户名吗?还是只有执行以下操作才能逃脱?
Will this escape the account name automatically? Or will it only escape if I do the following?:
x = 'Blah'
cursor.execute("""SELECT * FROM `accounts` WHERE `account_name` = %s""", (x))
还是两者兼而有之?任何人都可以澄清一下,因为我找不到任何信息.
Or will it do it for both? Can anyone clarify this as I can't find any information on it.
推荐答案
在第一个示例中没有转义,它是原始SQL查询.这是有效的,它将起作用,但是显然,只有在您始终要搜索帐户Blah
时,它才有意义.
There is no escaping in the first example, it is a raw SQL query. It's valid, it'll work, but obviously it only makes sense if you always want to search for account Blah
.
当需要从变量中的名称获取帐户时,将需要参数化的版本.但是,您的示例可能无法正常工作,因为(x)
不是元组,而只是值x
.元组序列中的x
将是(x,)
.为避免混淆,您可能更喜欢使用列表[x]
.
When you need to get an account from a name in a variable, you will need the parameterised version. However your example may not work as expected as (x)
isn't a tuple, it's just the value x
. x
in a tuple sequence would be (x,)
. To avoid confusion you may prefer to use the list [x]
.
这篇关于Python SQL DB字符串文字和转义的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!