这样写的方式主要是 规避sql注入风险
# 不能把变量名直接放到sql执行语句中,防止sql攻击
sql = "select * from user where name = %s and pwd = %s"
count = c.execute(sql,(name,pwd))
示例:
import pymysql
conn = pymysql.connect(host="127.0.0.1",port=3306,user='root',password='123', database='pooldb',charset='utf8')
cursor = conn.cursor()
# 重点
cursor.execute("select * from td where id=%s", [5, ])
result = cursor.fetchall() # 获取数据
cursor.close()
conn.close() # 关闭链接
# 传参部分我改造了一下
sql= "select * from td where id=%s"
sql_var = [5, ]
cursor.execute(sql, sql_var)