Python的mysqldb晦涩文档 [英] Python's mysqldb obscure documentation

问题描述

Python模块mysqldb中有许多转义函数，我不了解它们的文档，而我在查找它们时所做的努力并未显示任何内容.

There are many escape functions in the Python module mysqldb whose documentation I don't understand, and my efforts at looking them up have revealed nothing.

>>> print _mysql.escape.__doc__
escape(obj, dict) -- escape any special characters in object obj
using mapping dict to provide quoting functions for each type.
Returns a SQL literal string.

此文档页面说的是同样的话.但是那个映射字典"应该是什么呢?我尝试了几件事(大部分是随机的)，但只返回了错误.更令人沮丧的是，尽管escape_string()方法有效，但其文档字符串为:

This documentation page says the same thing. But what's supposed to be in that "mapping dict"? I tried a couple of (mostly random) things and only go errors back. What's even more frustrating is that, while the escape_string() method works, its documentation string is:

>>> print _mysql.escape_string.__doc__
escape_string(s) -- quote any SQL-interpreted characters in string s.

Use connection.escape_string(s), if you use it at all.
_mysql.escape_string(s) cannot handle character sets. You are
probably better off using connection.escape(o) instead, since
it will escape entire sequences as well as strings.

所以，我最好使用_mysql.escape()，对吗?好吧，呃...好吧，但是怎么办呢? 映射字典"到底是什么?至少以这种方式，PHP的隐秘性要低得多.

So, I am better off using _mysql.escape(), am I? Well, uh... okay, but how? What on earth is that "mapping dict"? PHP, in that way at least, was a lot less cryptic.

推荐答案

我是通过查看/usr/lib/pymodules/python2.6/MySQLdb/connections.py了解到的 了解它如何调用connection.escape.稍微闻一闻会导致 MySQLdb.converters.conversions.这是一个代码段:

I learned this by looking in /usr/lib/pymodules/python2.6/MySQLdb/connections.py to see how it called connection.escape. A little sniffing around leads to MySQLdb.converters.conversions. Here is a snippet:

{0: <class 'decimal.Decimal'>,
 1: <type 'int'>,
...
 <type 'dict'>: <built-in function escape_dict>,
 <type 'NoneType'>: <function None2NULL at 0xae9717c>,
 <type 'set'>: <function Set2Str at 0xae9709c>,
 <type 'str'>: <function Thing2Literal at 0xae971b4>,
 <type 'tuple'>: <built-in function escape_sequence>,
 <type 'object'>: <function Instance2Str at 0xae971ec>,
 <type 'unicode'>: <function Unicode2Str at 0xae9710c>,
 <type 'array.array'>: <function array2Str at 0xae9725c>,
 <type 'bool'>: <function Bool2Str at 0xae97294>}

您可以像这样使用它:

import MySQLdb
import MySQLdb.converters
import datetime

now=datetime.datetime.now()
connection=MySQLdb.connect(
    host=HOST,user=USER,passwd=PASS,db=MYDB)
print(connection.escape((1,2,now),MySQLdb.converters.conversions))
# ('1', '2', "'2010-07-24 19:33:59'")

PS.关于Bobby表:对于MySQLdb的正常使用，您不必手动转义参数.只需在调用cursor.execute时使用参数化的参数，MySQLdb就会自动为您引用参数.

PS. Regarding Bobby Tables: For normal use of MySQLdb, you don't have to manually escape arguments. Just use parametrized arguments when calling cursor.execute, and MySQLdb will automatically quote the arguments for you.

例如:

sql='insert into students (name,grade,date) values (%s, %s, %s)'
args=("Robert'); DROP TABLE Students; --",60,now)   # no manual quotation necessary
cursor=connection.cursor()
cursor.execute(sql,args)

这篇关于Python的mysqldb晦涩文档的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！