Python 字符串拼接 sql ,造成 sql 注入例子

简单的 userinfo 表

**字符串拼接 sql **

import pymysql

# 测试环境的数据库连接
conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
cursor = conn.cursor()

# 字符串拼接sql，用户名和密码都是乱写
sql = 'select username, password from userinfo where username="%s" and password="%s"'
sql = sql %('yy" or 1=1 -- ', '11111')
cursor.execute(sql)
r = cursor.fetchone()
print(r)

cursor.close()
conn.close()

# 运行结果，正确取到数值
('klvchen', '123456')

正常的写法

# __author__:"klvchen"
# date: 2018/12/12
import pymysql

conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')
cursor = conn.cursor()

cursor.execute('select username, password from userinfo where username=%s and password=%s', ('yy" or 1=1 -- ', '11111'))
r = cursor.fetchone()
print(r)

cursor.close()
conn.close()

# 运行结果，没有取到数值
None