zoukankan      html  css  js  c++  java

  • python自动化测试-D7-学习笔记之一(sql补充内容)

    # sql 注入:原理是利用了引号
    # sql语句中用了引号,可以构造 1=1这类永远为真 且合格的sql语句
    #    例如 "select * from bt_stu where real_name='%s' and sex = %s"%(name,sex)  可以把name 的字符串写成  'or '1'='1
    #         sql语句就变成了 select * from bt_stu where real_name =''or'1'='1' and sex = 0 直接把所有内容都打印出来了
    #         或者 name 字符串构造成 name = " ' ;show tables;' -- "
    #         sql语句就变成了 select * from bt_stu where real_name ='';show tables; '-- and sex = 0
    #         同理,也可以把show tables 语句改成 删除 修改等操作
    # 所以为了防止sql注入,我们写sql语句的时候,需要把%s的引号去掉
    # 例如:sql = "select * from bt_stu where real_name=%s;",name

    # 为了防止sql注入,那么我的op_mysql()的函数,参数则需要修改,用可变参数
    # def test(a,b):
    #     pass
    #
    # li = [1,2]
    # d = {'la':'lala',
    #      'li':'lili'}
    # test(*li) # 可变参数  一一对应,1传给a,2传给b
    # test(**d) # 可变参数 一一对应,la传给a,li传给b

    import pymysql,json
    import conn
    def op_mysql(sql,*data,
                 host=conn.MYSQL_HOST,
                 user=conn.MYSQL_USER,
                 password=conn.MYSQL_PASSWORD,
                 db=conn.MYSQL_DB,
                 port=conn.MYSQL_PORT,
                 charset=conn.MYSQL_CHARSET
                 ):

        conn = pymysql.connect(
            host=host,
            user=user,
            password=password,
            db=db,
            port=port,
            charset=charset
        )
        cur = conn.cursor(cursor=pymysql.cursors.DictCursor)
        cur.executemany(sql,data)
        sql_start = sql[:6].upper()

        if sql_start == 'SELECT':
            res_list = cur.fetchall()
            res = json.dumps(res_list,ensure_ascii=False)
        else:
            conn.commit()
            res = 'Exe Success'
        return res

    name = 'admin'
    money = 10000
    sql = "select * from user WHERE username = %s AND money = %s;"
    data = [name,money]
    res=op_mysql(sql,data)
    print(res)
    sql1 = 'insert into seq (blue,red,date) values (%s,%s,%s)'
    all_res = [
       ['16','01,02,03,05,09,06','2018-01-28'],
       ['15','01,02,03,05,09,06','2018-01-28'],
       ['14','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
       ['13','01,02,03,05,09,06','2018-01-28'],
    ]
    res=op_mysql(sql1,*all_res) # 如果不加 * 调用函数的时候,因为函数里写的是 *data  data本身是一个元组,不加*传进去后,打印出来的data是一个三维的([[]],[[]],[[]])
    # 加了 * 之后是把参数一个个的传进去,所以调用函数的时候,data变成了二维数组
    print(res)
    # 修改,删除
  • 相关阅读:
    【阿里天池云-龙珠计划】薄书的机器学习笔记——快来一起挖掘幸福感!Task04
    薄书的pytorch项目实战lesson49-情感分类+蹭免费GPU
    薄书的博客园主题——awescnb
    # 详细分析MySQL事务日志(redo log和undo log)
    docker网络模式
    IOTOP
    磁盘分区知识
    # KVM虚拟化技术的内置快照和外置快照
    mysql MGR
    linux各种监控工具 (转)
  • 原文地址:https://www.cnblogs.com/blackbird0423/p/8394751.html
Copyright © 2011-2022 走看看