如何在Python中使用SQL语句中的变量?好吧,我对Python没什么经验。我有以下Python代码:cursor.execute("INSERT INTO table VALUES var1, var2, var3,")哪里var1是整数,var2 & var3是弦乐。如果没有python作为查询文本的一部分,我如何编写变量名?
3 回答
慕慕森
TA贡献1856条经验 获得超17个赞
很多方法。别使用最明显的(%s带着%)在实际代码中,它对攻击.
# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
# Larger example that inserts many records at a time
purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
('2006-04-06', 'SELL', 'IBM', 500, 53.00),
]
c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)
如果您需要更多的示例:
# Multiple values single statement/execution
c.execute('SELECT * FROM stocks WHERE symbol=? OR symbol=?', ('RHAT', 'MSO'))
print c.fetchall()
c.execute('SELECT * FROM stocks WHERE symbol IN (?, ?)', ('RHAT', 'MSO'))
print c.fetchall()
# This also works, though ones above are better as a habit as it's inline with syntax of executemany().. but your choice.
c.execute('SELECT * FROM stocks WHERE symbol=? OR symbol=?', 'RHAT', 'MSO')
print c.fetchall()
# Insert a single item
c.execute('INSERT INTO stocks VALUES (?,?,?,?,?)', ('2006-03-28', 'BUY', 'IBM', 1000, 45.00))
交互式爱情
TA贡献1712条经验 获得超3个赞
cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))注意,参数作为元组传递。
数据库API对变量进行适当的转义和引用。小心不要使用字符串格式运算符(%),因为
- 它不做任何逃避或引用。
- 它容易受到不受控制的字符串格式攻击。
添加回答
举报
0/150
提交
取消