简单的 userinfo 表
**字符串拼接 sql **
import pymysql
# 测试环境的数据库连接
conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
cursor = conn.cursor()
# 字符串拼接sql,用户名和密码都是乱写
sql = 'select username, password from userinfo where username="%s" and password="%s"'
sql = sql %('yy" or 1=1 -- ', '11111')
cursor.execute(sql)
r = cursor.fetchone()
print(r)
cursor.close()
conn.close()
# 运行结果,正确取到数值
('klvchen', '123456')
正常的写法
# __author__:"klvchen"
# date: 2018/12/12
import pymysql
conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
cursor = conn.cursor()
cursor.execute('select username, password from userinfo where username=%s and password=%s', ('yy" or 1=1 -- ', '11111'))
r = cursor.fetchone()
print(r)
cursor.close()
conn.close()
# 运行结果,没有取到数值
None