sql注入中最多见的就是字符串拼接,研发人员对字符串拼接应该引发重视,不该忽略。python
错误用法1:mysql
sql = "select id, name from test where id=%d and name='%s'" %(id, name) sql
cursor.execute(sql) 微信
错误用法2:函数
sql = "select id, name from test where id="+ str(id) +" and name='"+ name +"'" 字符串
cursor.execute(sql) string
正确用法1:test
args = (id, name) select
sql = "select id, name from test where id=%s and name=%s" sql语句
cursor.execute(sql, args)
execute()函数自己有接受sql语句参数位的,能够经过python自身的函数处理sql注入问题。
正确用法2:
name = MySQLdb.escape_string(name)
sql = "select id, name from test where id=%d and name='%s'" %(id, name)
cursor.execute(sql)
python模块MySQLdb自带针对mysql的字符转义函数escape_string,能够对字符串转义
