Python 3 sqlite 参数化 SQL 查询 [英] Python 3 sqlite parameterized SQL-query

问题描述

我一直在尝试使用 Python 3 和 sqlite 模块进行参数化 SQL 查询，并且仅使用一个变量就成功了.然而，当使用两个变量时，我得到一个 IndexError: tuple index out of range 错误.关于导致此错误的原因有什么建议吗?

I've been trying to make a parameterized SQL-query with Python 3 and sqlite module and succeeded with just one variable. However when using two variables, I get an IndexError: tuple index out of range error. Any suggestions as to what is causing this error?

sql = ("select exists(SELECT * from USERS where PASSWORD = '{0}' AND USERNAME = '{1}')")
args = (var1,var2)
cursor = database_connection.execute((sql).format(args))

推荐答案

从不在你的 sql 命令中填写原始条目，这是在调用 sql 注入攻击.

Never fill in raw entries in your sql command, this is calling for sql injection attacks.

使用内置的填充功能.

sql = "select exists(SELECT * from USERS where PASSWORD = ? AND USERNAME = ?)"
args = (var1,var2)
cursor = database_connection.execute(sql, args)

这篇关于Python 3 sqlite 参数化 SQL 查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！