在Python 3中使用MySQLdb参数化查询
我试图通过使用参数化查询的Python脚本将数据插入MySQL数据库,而不是将参数格式化为字符串并打开应用程序进行SQL注入 以下是Python代码:在Python 3中使用MySQLdb参数化查询,python,mysql,mysql-python,Python,Mysql,Mysql Python,我试图通过使用参数化查询的Python脚本将数据插入MySQL数据库,而不是将参数格式化为字符串并打开应用程序进行SQL注入 以下是Python代码: #!/usr/bin/python3 import MySQLdb as mdb conn = mdb.connect("localhost", "fakeuser", "fakepassword", "testdb") c = conn.cursor() c.execute("INSERT INTO test VALUES (%s)", (
#!/usr/bin/python3
import MySQLdb as mdb
conn = mdb.connect("localhost", "fakeuser", "fakepassword", "testdb")
c = conn.cursor()
c.execute("INSERT INTO test VALUES (%s)", ("Test", ))
conn.commit()
conn.close()
运行脚本时,我得到以下堆栈跟踪:
Traceback (most recent call last):
File "./load.py", line 7, in <module>
c.execute("INSERT INTO test VALUES (%s)", ("Test", ))
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/cursors.py", line 184, in execute
self.errorhandler(self, exc, value)
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/connections.py", line 37, in defaulterrorhandler
raise errorvalue
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/cursors.py", line 171, in execute
r = self._query(query)
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/cursors.py", line 330, in _query
rowcount = self._do_query(q)
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/cursors.py", line 294, in _do_query
db.query(q)
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%s)' at line 1")
回溯(最近一次呼叫最后一次):
文件“/load.py”,第7行,在
c、 执行(“插入测试值(%s)”,(“测试”,))
文件“/opt/python3/lib/python3.2/site packages/MySQL\u python-1.2.3-py3.2-linux-x86\u 64.egg/MySQLdb/cursors.py”,执行中第184行
errorhandler(self、exc、value)
defaulterrorhandler中的文件“/opt/python3/lib/python3.2/site packages/MySQL\u python-1.2.3-py3.2-linux-x86\u 64.egg/MySQLdb/connections.py”,第37行
提高错误值
文件“/opt/python3/lib/python3.2/site packages/MySQL\u python-1.2.3-py3.2-linux-x86\u 64.egg/MySQLdb/cursors.py”,第171行,在execute中
r=自我查询(查询)
文件“/opt/python3/lib/python3.2/site packages/MySQL\u python-1.2.3-py3.2-linux-x86\u 64.egg/MySQLdb/cursors.py”,第330行,在
rowcount=self.\u do\u查询(q)
文件“/opt/python3/lib/python3.2/site packages/MySQL\u python-1.2.3-py3.2-linux-x86\u 64.egg/MySQLdb/cursors.py”,第294行,在查询中
数据库查询(q)
_mysql_exceptions.ProgrammingError:(1064,“您的SQL语法有错误;请检查与您的mysql服务器版本对应的手册,以了解在第1行“%s”附近使用的正确语法”)
然而,我读过的每一篇文档都表明%s
是正确的占位符。我试图用单引号将%s
括起来,但这会导致语句按字面意思插入该字符串,而不是替换给定的值,这正是我所期望的
以下是相关的软件版本:
- Python 3.2.3
- MySQL_python-1.2.3-py3.2
- MySQL 5.5.40-36.1
注意:我使用的是共享主机,无法升级软件。MySQL Python项目不支持Python 3-see,多年来一直说“Python 3支持即将到来”,它只提供Python 2.7版本,并说: Python-3.0将在未来的版本中得到支持 我听说没有可用的“-py3.2”发行版(或者可以通过搜索找到);您的主机可能有一些愚蠢的事情(例如)让库安装在Python3上,但是能够安装库并不能保证它能真正工作 这是: 今天我在远程web服务器上切换到Python v3.2.3 短吻鳄。我的cgi脚本在pythonv2.6.6上运行,现在生成 这些错误:
--> -->
Traceback (most recent call last):
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/cursors.py", line 171, in execute
r = self._query(query)
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/cursors.py", line 330, in _query
rowcount = self._do_query(q)
File "/opt/python3/lib/python3.2/site-packages/MySQL_python-1.2.3-py3.2-linux-x86_64.egg/MySQLdb/cursors.py", line 294, in _do_query
db.query(q)
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%s' at line 1")
关于库的%s
语法是否正确,您是对的;不幸的是,Python3在某些方面做得不好。您可以尝试改用命名参数样式,看看这是否有帮助,但最好的办法是完全停止使用不受支持的库。例如,如果您的主机还提供