zoukankan      html  css  js  c++  java
  • pymysql模块使用,进行增删改查以及sql注入问题

    pymysql的基本使用
    import pymysql
    
    conn = pymysql.connect(
        user='root',
        password='555',
        host='127.0.0.1',
        port=3306,
        charset='utf8',
        database='oldboy_edu',
    )
    
    # 产生一个游标的对象
    cursor = conn.cursor()
    sql = 'select*from user_info as t1'
    res = cursor.execute(sql)
    print(res)
    ret = cursor.fetchall()
    print(type(ret))
    print(ret)
    
    结果:
    3
    <class 'tuple'>
    ((1, 'yyx', '12'), (2, 'yyh', '98'), (3, None, None))
    
    
    
    import pymysql
    
    conn = pymysql.connect(
        user='root',
        password='555',
        host='127.0.0.1',
        port=3306,
        charset='utf8',
        database='oldboy_edu',
    )
    
    # 产生一个游标的对象, 括号内是为了将查询出来的结果给制作成字典的形式返回
    cursor = conn.cursor(pymysql.cursors.DictCursor)
    sql = 'select*from user_info as t'
    # 执行sql语句
    res = cursor.execute(sql)
    # 返回的是当前sql所影响的行数  数据类型是整型
    print(res)
    # 获取查询结果中的所有的数据 数据类型是元组套元组
    # ret = cursor.fetchall()
    # print(ret)
    # 只获取查询结果中的一条数据 数据类型是字典
    # print(cursor.fetchone())
    # 获取指定几条数据,如果数字超了也不会报错 数据类型是列表套字典
    # print(cursor.fetchmany(8))
    
    
    # 这里要注意,如果现先有fetchone,fetchall就会跟着后面查询
    # print(cursor.fetchone())
    # print(cursor.fetchone())
    # print(cursor.fetchmany())
    
    
    print(cursor.fetchone())
    # 相对移动 这里要注意, 基于指针所在的位置往后偏移
    # cursor.scroll(1, 'relative')
    # 绝对偏移 基于起始位置 往后偏移
    cursor.scroll(1, 'absolute')
    print(cursor.fetchall())
    
    
    
    sql注入问题
    import pymysql
    
    conn = pymysql.connect(
        user='root',
        password='555',
        host='127.0.0.1',
        port=3306,
        charset='utf8',
        db='oldboy_edu',
    )
    cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
    username = input('username:').strip()
    password = input('password:').strip()
    sql = "select *from user where name = '%s' and password = '%s " % (username, password)
    print(sql)
    cursor.execute(sql)
    res = cursor.fetchall()
    if res:
        print(res)
    else:
        print('username or password error!')
    	
        
        问题一:
    username:yyx' -- dadadasdad.da.da
    password:
    select *from user where name = 'yyx' -- dadadasdad.da.da' and password = ' 
    [{'id': 1, 'name': 'yyx', 'password': '123', 'age': 21, 'address': '上海'}]
    
    问题二:
    username:' or 1=1 -- adada.dad.ad.ada
    password:
    select *from user where name = '' or 1=1 -- adada.dad.ad.ada' and password = ' 
    [{'id': 1, 'name': 'yyx', 'password': '123', 'age': 21, 'address': '上海'}, {'id': 2, 'name': '小白边', 'password': '456', 'age': 25, 'address': '北京'}]
    
    
    

    sql问题:

    ​ 利用特殊符号和注释语法, 巧妙的绕过真正的sql校验

    所以关键的数据 不需要自己动手去拼接 而是交由excute帮你去做拼接

    # 改良以后的代码
    import pymysql
    
    conn = pymysql.connect(
        user='root',
        password='555',
        host='127.0.0.1',
        port=3306,
        charset='utf8',
        database='oldboy_edu',
    )
    
    # 新建游标
    cursor = conn.cursor(pymysql.cursors.DictCursor)
    username = input('username:').strip()
    password = input('password').strip()
    sql = "select *from user where name='%s' and password = '%s' "
    cursor.execute(sql, (username, password))
    res = cursor.fetchall()
    if res:
        print(res)
    else:
        print('username or password error!')
    
    解决了sql注入的问题:
    	username:' or 1=1 -- dada.daada.da
        password:
        username or password error!
        
        ===============================
        
        username:yyx' -- dada.dad.ada.d
        password:
        username or password error!
    	
        
    
    数据的增删改

    针对增删改操作,执行程度相对偏高

    所有要想对其操作, 必须要一步的确认操作

    两种方式:

    ​ 第一:在conn中添加autocommit=True;

    ​ 第二:在excute后面加上conn.commint()

    import pymysql
    
    conn = pymysql.connect(
        user='root',
        password='555',
        host='127.0.0.1',
        port=3306,
        charset='utf8',
        db='oldboy_edu',
        autocommit=True,
    
    )
    cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
    # username = input('username:').strip()
    # password = input('password').strip()
    # 增加
    # sql = "insert into user (name, password, age, address) values('yyh','456',87,'上海')"
    # 修改
    # sql = "update user set name = 'yyxnb' where id = 3"
    # 删除
    sql = "delete from user where id =1"
    
    res = cursor.execute(sql)
    print(res)
    
    
    
  • 相关阅读:
    中考 2020 游记
    CodeChef 2020 July Long Challenge 题解
    GDOI2020 游记
    AtCoder Grand Contest 044 题解
    ISIJ2020 不知道算不算游记
    WC2020 拿铁记
    UOJ Round 19 题解
    本博客采用 CC BY-NC-SA 4.0 进行许可
    [算法模版]回文树
    AddressSanitizer
  • 原文地址:https://www.cnblogs.com/godlover/p/12052235.html
Copyright © 2011-2022 走看看