Python 在postgres中使用$$将NULL插入到可为NULL的行中
我正在努力保护我的申请:Python 在postgres中使用$$将NULL插入到可为NULL的行中,python,postgresql,psycopg2,Python,Postgresql,Psycopg2,我正在努力保护我的申请: q = "insert into foo (name, descr, some_fk_int) values ($${}$$, $${}$$, $${}$$);".format( name.replace("$$",""), description.replace("$$",""), str(fkToAnotherTable).replace("$$","") if fkToANotherTable is not None else 'NULL' ) cur
q = "insert into foo (name, descr, some_fk_int) values ($${}$$, $${}$$, $${}$$);".format(
name.replace("$$",""),
description.replace("$$",""),
str(fkToAnotherTable).replace("$$","") if fkToANotherTable is not None else 'NULL'
)
cur.execute(q)
.... ($$Tony$$,$$Bar$$, NULL)
.....($$Tony$$, $$Bar$$, $$NULL$$)
select * from foo where id = $$id$$
select * from foo where id = $$hello$$
select * from foo where id = $$$$ or 1=1$$$$
$$或1=1$$q = "insert into foo (name, description, fk) values
( $${}$$, $${}$$, {} );".format(
name.replace("$$",""),
description.replace("$$",""),
"$${}$$".format(str(FK).replace("$$","")) if FK is not None else "NULL"
)
$q = "select * from foo where name in ({}) and user_id = %s".format(
",".join(["%s" for d in my_list])
)
# creates: select * from foo where name in (%s, %s, %s, %s, %s) and user_id = %s;
args = [d for d in my_list] + [user_id]
# creates [1,2,3,4,5,7493]
cursor.execute(q, args)
由于网站允许第二个参数是序列、列表或指令。您希望使用预处理语句。避免sql注入的最佳方法是使用预处理语句。我正在查看execute函数,该函数允许我执行以下操作:
cursor.execute(“插入到foo(a,b)值(%{}s,%{}s)”,(“foo”,“bar”))(..)