最近被这两行代码折磨了两天,一直觉得从语法角度来说完全不存在问题,然而。。。。
上代码
错误示范
sql = "select * from user where user=" + request.args.get('user') + " and password="+ request.args.get('password')+ ""
sql = "INSERT INTO user(user, password) VALUES (" + request.args.get('user') + ", " + request.args.get('password') + ")"
正确代码
user=str(request.args.get('user'))
password=str(request.args.get('password'))
sql = "select * from user where user= '%s' and password= %s" % (user,password)
sql = "INSERT INTO user(user, password) VALUES ('%s','%s')"%(user,password)
错误示范只对数字有效而对字符串就显然无用了