問題描述
我很難使用 MySQLdb 模塊將信息插入到我的數據庫中.我需要在表中插入 6 個變量.
I am having a hard time using the MySQLdb module to insert information into my database. I need to insert 6 variables into the table.
cursor.execute ("""
INSERT INTO Songs (SongName, SongArtist, SongAlbum, SongGenre, SongLength, SongLocation)
VALUES
(var1, var2, var3, var4, var5, var6)
""")
有人可以幫我了解這里的語法嗎?
Can someone help me with the syntax here?
推薦答案
當心對 SQL 查詢使用字符串插值,因為它不會正確轉義輸入參數,并使您的應用程序容易受到 SQL 注入漏洞的影響.差異可能看起來微不足道,但實際上差別很大.
Beware of using string interpolation for SQL queries, since it won't escape the input parameters correctly and will leave your application open to SQL injection vulnerabilities. The difference might seem trivial, but in reality it's huge.
c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s" % (param1, param2))
正確(帶轉義)
c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s", (param1, param2))
用于綁定 SQL 語句中參數的修飾符在不同的 DB API 實現之間有所不同,并且 mysql 客戶端庫使用 printf 樣式語法而不是更普遍接受的 '?'標記(由例如 python-sqlite 使用).
It adds to the confusion that the modifiers used to bind parameters in a SQL statement varies between different DB API implementations and that the mysql client library uses printf style syntax instead of the more commonly accepted '?' marker (used by eg. python-sqlite).
這篇關于MySQL參數化查詢的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!