pymsql（SQL注入与防SQL注入）

SQL注入：

import pymysql# 创建数据库连接 返回一个对象
conn = pymysql.connect(host="localhost",  # MySQL服务器地址 本地地址 127.0.0.1user="root",  # 用户名 （账号）password="155480",  # 密码database="spt2503",  # 数据库名称port=3306
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
name = input("请输入账号")
pwd = input("请输入密码")sql = ("SELECT * from  t_user u LEFT JOIN t_user_role ur  ON(ur.uid=u.id)LEFT JOIN ""t_role r on (ur.rid=r.rid)LEFT   JOIN t_role_menu rm  ON (rm.rid=r.rid)LEFT "" JOIN t_menu m ON (m.id=rm.mid) where u.name = '%s' and u.pwd = '%s'")%(name,pwd)
print(sql)
resultCount = cursor.execute(sql)res = cursor.fetchall()
print(res)
print(resultCount)
if resultCount:print("登录成功")
else:print("用户名或密码错误")cursor.close()conn.close()# SQL注入会生成新的SQL语句（'%s'）

防止SQL注入字典：

import pymysql# 创建数据库连接 返回一个对象
conn = pymysql.connect(host="localhost",  # MySQL服务器地址 本地地址 127.0.0.1user="root",  # 用户名 （账号）password="155480",  # 密码database="spt2503",  # 数据库名称port=3306
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
name = input("请输入账号")
pwd = input("请输入密码")sql = ("SELECT * from  t_user u LEFT JOIN t_user_role ur  ON(ur.uid=u.id)LEFT JOIN ""t_role r on (ur.rid=r.rid)LEFT   JOIN t_role_menu rm  ON (rm.rid=r.rid)LEFT "" JOIN t_menu m ON (m.id=rm.mid) where u.name = %s and u.pwd = %s")
print(sql)
resultCount = cursor.execute(sql, (name, pwd))res = cursor.fetchall()
print(res)
print(resultCount)
if resultCount:print("登录成功")
else:print("用户名或密码错误")cursor.close()conn.close()# SQL注入会生成新的SQL语句（'%s'）