def get_info_by_name(self):
find_name = input('请输入要查询的商品名字:')
sql = '''select * from goods where name = '%s';''' % find_name
print('------------>%s<-----------' % sql)
self.execute_sql(sql)
请输入要查询的商品名字: 'or 1=1 or '1
------------>select * from goods where name = ' 'or 1=1 or '1';<-----------
安全的方式
def get_info_by_name(self):
find_name = input('请输入要查询的商品名字:')
sql = 'select * from goods where name = %s'
self.cursor.excute(sql, [find_name])
print(self.cursor.fetchall())