from pymysql import connect
conn = connect(host='127.0.0.1',port=3306,database='test',user='root',password='mysql',charset='utf8')
cs1 = conn.cursor()
while True:
# student = input('student=:')
student = [input('student=:')]
# sql_1 = """select * from students where name='%s'"""%student
sql_2 = """select * from students where name=%s"""
# print(f'------------>{sql_1}<----------------')
print(f'------------>{sql_2}<----------------')
try:
# cs1.execute(sql_1)
cs1.execute(sql_2,student)
except Exception as ret:
print('错误')
else:
print(cs1.fetchall())
print(student)
cs1.close()
conn.close()
# 使用sql_1时
# 输入 ' or 1=1 or '1 时,sql语句变成 select * from students where name='' or 1=1 or '1'
# 此时 相当于查询整个数据库了 ===>sql注入
# 使用sql_2时
# 即将要查询的名保存在列表中,是excute(sql_1,student) 使
# 该列表里的值填充sql语句,不会出现以上情况 ====>sql防注入
sql防注入
最新推荐文章于 2024-10-12 23:53:21 发布