pymysql的基本使用
import pymysql
conn = pymysql.connect(
user='root',
password='555',
host='127.0.0.1',
port=3306,
charset='utf8',
database='oldboy_edu',
)
# 产生一个游标的对象
cursor = conn.cursor()
sql = 'select*from user_info as t1'
res = cursor.execute(sql)
print(res)
ret = cursor.fetchall()
print(type(ret))
print(ret)
结果:
3
<class 'tuple'>
((1, 'yyx', '12'), (2, 'yyh', '98'), (3, None, None))
import pymysql
conn = pymysql.connect(
user='root',
password='555',
host='127.0.0.1',
port=3306,
charset='utf8',
database='oldboy_edu',
)
# 产生一个游标的对象, 括号内是为了将查询出来的结果给制作成字典的形式返回
cursor = conn.cursor(pymysql.cursors.DictCursor)
sql = 'select*from user_info as t'
# 执行sql语句
res = cursor.execute(sql)
# 返回的是当前sql所影响的行数 数据类型是整型
print(res)
# 获取查询结果中的所有的数据 数据类型是元组套元组
# ret = cursor.fetchall()
# print(ret)
# 只获取查询结果中的一条数据 数据类型是字典
# print(cursor.fetchone())
# 获取指定几条数据,如果数字超了也不会报错 数据类型是列表套字典
# print(cursor.fetchmany(8))
# 这里要注意,如果现先有fetchone,fetchall就会跟着后面查询
# print(cursor.fetchone())
# print(cursor.fetchone())
# print(cursor.fetchmany())
print(cursor.fetchone())
# 相对移动 这里要注意, 基于指针所在的位置往后偏移
# cursor.scroll(1, 'relative')
# 绝对偏移 基于起始位置 往后偏移
cursor.scroll(1, 'absolute')
print(cursor.fetchall())
sql注入问题
import pymysql
conn = pymysql.connect(
user='root',
password='555',
host='127.0.0.1',
port=3306,
charset='utf8',
db='oldboy_edu',
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
username = input('username:').strip()
password = input('password:').strip()
sql = "select *from user where name = '%s' and password = '%s " % (username, password)
print(sql)
cursor.execute(sql)
res = cursor.fetchall()
if res:
print(res)
else:
print('username or password error!')
问题一:
username:yyx' -- dadadasdad.da.da
password:
select *from user where name = 'yyx' -- dadadasdad.da.da' and password = '
[{'id': 1, 'name': 'yyx', 'password': '123', 'age': 21, 'address': '上海'}]
问题二:
username:' or 1=1 -- adada.dad.ad.ada
password:
select *from user where name = '' or 1=1 -- adada.dad.ad.ada' and password = '
[{'id': 1, 'name': 'yyx', 'password': '123', 'age': 21, 'address': '上海'}, {'id': 2, 'name': '小白边', 'password': '456', 'age': 25, 'address': '北京'}]
sql问题:
利用特殊符号和注释语法, 巧妙的绕过真正的sql校验
所以关键的数据 不需要自己动手去拼接 而是交由excute帮你去做拼接
# 改良以后的代码
import pymysql
conn = pymysql.connect(
user='root',
password='555',
host='127.0.0.1',
port=3306,
charset='utf8',
database='oldboy_edu',
)
# 新建游标
cursor = conn.cursor(pymysql.cursors.DictCursor)
username = input('username:').strip()
password = input('password').strip()
sql = "select *from user where name='%s' and password = '%s' "
cursor.execute(sql, (username, password))
res = cursor.fetchall()
if res:
print(res)
else:
print('username or password error!')
解决了sql注入的问题:
username:' or 1=1 -- dada.daada.da
password:
username or password error!
===============================
username:yyx' -- dada.dad.ada.d
password:
username or password error!
数据的增删改
针对增删改操作,执行程度相对偏高
所有要想对其操作, 必须要一步的确认操作
两种方式:
第一:在conn中添加autocommit=True;
第二:在excute后面加上conn.commint()
import pymysql
conn = pymysql.connect(
user='root',
password='555',
host='127.0.0.1',
port=3306,
charset='utf8',
db='oldboy_edu',
autocommit=True,
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
# username = input('username:').strip()
# password = input('password').strip()
# 增加
# sql = "insert into user (name, password, age, address) values('yyh','456',87,'上海')"
# 修改
# sql = "update user set name = 'yyxnb' where id = 3"
# 删除
sql = "delete from user where id =1"
res = cursor.execute(sql)
print(res)