Python 的字符串格式在 mysql 中应用时会引发错误
Python's string formatting throws error when applied within mysql
我在 python 中编写了一个脚本,用于从网站抓取一些数据并将它们存储在 mysql 中。如果我选择两个选项来插入数据,我的脚本会成功完成工作:
mycursor.execute("INSERT INTO webdata (name,bubble,review) VALUES ('{}','{}','{}')".format(name,bubble,review))
mycursor.execute("INSERT INTO webdata (name,bubble,review) VALUES (%s,%s,%s)",(name,bubble,review))
但是,当我尝试使用 python's new string formatting 执行相同操作时会抛出错误,如下所示:
mycursor.execute("INSERT INTO webdata (name,bubble,review) VALUES (f'{name},{bubble},{review}')")
抛出错误:
line 429, in _handle_result
raise errors.get_exception(packet)
mysql.connector.errors.ProgrammingError: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''{name},{bubble},{review}')' at line 1
哪里出了问题以及如何解决它,因为我非常愿意坚持最后的格式样式?
如果您想编写不容易受到 SQL 注入漏洞攻击的代码,那么您不能将 f-strings 与数据库一起使用,就这么简单。
最好让 MySQL 连接器使用 %s 绑定变量。这避免了 SQL 注入。这是一个工作示例。
import MySQLdb
# set up db connection
dbApi = MySQLdb
connection = MySQLdb.connect(
host = <hostname>,
user = <databasename>,
passwd = password,
db = <dbname>,
port = 3306,
charset = "utf8")
cursor = connection.cursor(dbApi.cursors.DictCursor)
# insert records
records = [['George', 'Ten', 'Good'],
['Ringo', 'Ten', 'Good'],
['Paul', 'Ten', 'Good'],
['John', 'Ten', 'Good']]
insert_sql = 'insert into webdata (name, bubble, review) values (%s, %s, %s)'
for record in records:
cursor.execute(insert_sql, record)
# list record
sql = 'select * from webdata'
cursor.execute(sql)
data = cursor.fetchall()
print 'data:', data
connection.commit()
cursor.close()
我在 python 中编写了一个脚本,用于从网站抓取一些数据并将它们存储在 mysql 中。如果我选择两个选项来插入数据,我的脚本会成功完成工作:
mycursor.execute("INSERT INTO webdata (name,bubble,review) VALUES ('{}','{}','{}')".format(name,bubble,review))
mycursor.execute("INSERT INTO webdata (name,bubble,review) VALUES (%s,%s,%s)",(name,bubble,review))
但是,当我尝试使用 python's new string formatting 执行相同操作时会抛出错误,如下所示:
mycursor.execute("INSERT INTO webdata (name,bubble,review) VALUES (f'{name},{bubble},{review}')")
抛出错误:
line 429, in _handle_result
raise errors.get_exception(packet)
mysql.connector.errors.ProgrammingError: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''{name},{bubble},{review}')' at line 1
哪里出了问题以及如何解决它,因为我非常愿意坚持最后的格式样式?
如果您想编写不容易受到 SQL 注入漏洞攻击的代码,那么您不能将 f-strings 与数据库一起使用,就这么简单。
最好让 MySQL 连接器使用 %s 绑定变量。这避免了 SQL 注入。这是一个工作示例。
import MySQLdb
# set up db connection
dbApi = MySQLdb
connection = MySQLdb.connect(
host = <hostname>,
user = <databasename>,
passwd = password,
db = <dbname>,
port = 3306,
charset = "utf8")
cursor = connection.cursor(dbApi.cursors.DictCursor)
# insert records
records = [['George', 'Ten', 'Good'],
['Ringo', 'Ten', 'Good'],
['Paul', 'Ten', 'Good'],
['John', 'Ten', 'Good']]
insert_sql = 'insert into webdata (name, bubble, review) values (%s, %s, %s)'
for record in records:
cursor.execute(insert_sql, record)
# list record
sql = 'select * from webdata'
cursor.execute(sql)
data = cursor.fetchall()
print 'data:', data
connection.commit()
cursor.close()