防止sql注入——多个参数的使用
import pymysql
#2. 创建连接对象
#connect = Connection = Connect
# 1)host:服务器主机地址
# 2)port:服务器端口号3306
# 3)user:用户名root/admin
# 4)password 密码
# 5)database :操作的数据库 mysql/pymysql_test
# 6)charset:获取数据库编码格式:utf8
if __name__ == '__main__':
conn = pymysql.connect(
host = 'localhost',
port = 3306,
user = 'user',
password = '123456',
database = 'pymysql_test',
charset = 'utf8'
)
# 3. 获取游标,执行sql语句
cursor = conn.cursor()
# 防止sql注入:将sql语句中%s站位所需要的的参数存在一个列表中,%s是sql语句的参数和字符串里面的%s不一样,不要加上引号
sql = "insert into students(name,age,gender,address) values(%s,%s,%s,%s)";
print(sql)
try:
#4. 执行sql语句
# 1. sql
# 2. 执行sql语句的传入参数,参数类型可以是元组,列表,字典
cursor.execute(sql,["张三",18,'男',"深圳"]);
conn.commit()
except Exception as error:
conn.rollback()
finally:
# 5.关闭游标
cursor.close()
# 6. 关闭连接
conn.close()