我正在尝试使用Python的DB-API组装以下SQL语句:
SELECT x FROM myTable WHERE x LIKE 'BEGINNING_OF_STRING%';
BEGINNING_OF_STRING应该是一个Python变量,通过DB-API安全地填充。我尝试过了。
beginningOfString = 'abc'
cursor.execute('SELECT x FROM myTable WHERE x LIKE '%s%', beginningOfString)
cursor.execute('SELECT x FROM myTable WHERE x LIKE '%s%%', beginningOfString)
我已经没有想法了,正确的做法是什么?
如果可以的话,最好将参数与SQL语句分离。 这样,您可以让数据库模块负责正确引用参数。
sql='SELECT x FROM myTable WHERE x LIKE %s'
args=[beginningOfString+'%']
cursor.execute(sql,args)
编辑:
正如Brian和Thomas所指出的,更好的方法是使用:
beginningOfString += '%'
cursor.execute("SELECT x FROM myTable WHERE x LIKE ?", (beginningOfString,) )
由于第一种方法容易受到SQL注入攻击的威胁,建议使用其他方式。
以下内容仅供参考:
尝试使用:
cursor.execute("SELECT x FROM myTable WHERE x LIKE '%s%%'" % beginningOfString)
"SELECT x FROM myTable WHERE x LIKE '%s%%'" % "doom' ; drop table x; select '" - BrianUsually your SQL operations will need to use values from Python variables. You shouldn’t assemble your query using Python’s string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack.
Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method. (Other database modules may use a different placeholder, such as %s or :1.) For example:
# Never do this -- insecure! symbol = 'IBM' c.execute("... where symbol = '%s'" % symbol) # Do this instead t = (symbol,) c.execute('select * from stocks where symbol=?', t) # Larger example for t in [('2006-03-28', 'BUY', 'IBM', 1000, 45.00), ('2006-04-05', 'BUY', 'MSOFT', 1000, 72.00), ('2006-04-06', 'SELL', 'IBM', 500, 53.00), ]: c.execute('insert into stocks values (?,?,?,?,?)', t)
我想你需要这个:
cursor.execute('SELECT x FROM myTable WHERE x LIKE '%?%', (beginningOfString,) )
'%?%'而不是'?%'(他的查询不够一致),我没有看到任何问题。 - Brian