使用 Python 和 mySQL 进行动态 SQL 查询
我有多个表格在网格中更改值后进行更新。这些表并不总是具有相同的键或列,因此我无法明确命名列或格式。唯一相同的东西是钥匙驻留的列。我知道我目前这样做的方式是不正确的,并且让我接受注射攻击。
我还遇到了一个问题,其中一些值包含在SQL语句中丢弃错误的键。例如,更新其中email = t' [emagy  emagy 。
我不确定编写这些语句的正确方法。我进行了一些研究,并看到了用于不同目的的多种方法,但不确定哪种方法是正确的。我希望尽可能动态地做到这一点。谁能向我指向正确的方向?
连接:
import mysql.connector as sql
import MySQLdb
#Connect
self.db_name = 'database'
self.server = 'server'
self.user_id = 'user'
self.pw = 'password'
try:
self.db_con = MySQLdb.connect(user=self.user_id,password=self.pw,database=self.db_name,
host=self.server,charset='utf8',autocommit=True)
self.cursor = self.db_con.cursor()
except:
print("Error connecting")
SQL语句:
key_id = str("'") + self.GetCellValue(event.GetRow(),1) + str("'")
target_col = self.GetColLabelValue(event.GetCol())
key_col = self.GetColLabelValue(1)
nVal = str("'") + self.GetCellValue(event.GetRow(),event.GetCol()) + str("'")
#SQL STATEMENTS
sql_update = "UPDATE " + tbl + " SET " + target_col + " = " + nVal + " WHERE " + key_col + " = " + key_id + ""
#INSERT
sql_update = ("INSERT INTO " + str(self.tbl) + "(" + self.key_col + ")" + "VALUES (" + str("'") + str(val) + str("'") + ")")
#DELETE
sql_update = "DELETE FROM " + tbl + " WHERE " + self.key_col + " = " + self.key_id + ""
#SELECT
sql_query = "SELECT * FROM " + self.tbl
#Excecute
try:
self.cursor.execute(sql_update)
except:
print('Error')
self.db_con.rollback()
I have multiple tables that are updated after a value is changed in a grid. These tables don't always have the same keys or columns so I cannot explicitly name the columns or formats. The only thing that is ever the same, is the column where the keys reside. I know the way I am currently doing this is not correct and leaves me open to injection attacks.
I also ran into an issue where some of the values contain keys that throw an error in the SQL statement. For example, updating WHERE email = t'[email protected].
I am not really sure of the proper way to write these statements. I did some research and see multiple methods for different purposes but am not sure which is proper. I am looking to do this as dynamically as possible. Can anyone point me in the right direction?
To connect:
import mysql.connector as sql
import MySQLdb
#Connect
self.db_name = 'database'
self.server = 'server'
self.user_id = 'user'
self.pw = 'password'
try:
self.db_con = MySQLdb.connect(user=self.user_id,password=self.pw,database=self.db_name,
host=self.server,charset='utf8',autocommit=True)
self.cursor = self.db_con.cursor()
except:
print("Error connecting")
SQL Statements:
key_id = str("'") + self.GetCellValue(event.GetRow(),1) + str("'")
target_col = self.GetColLabelValue(event.GetCol())
key_col = self.GetColLabelValue(1)
nVal = str("'") + self.GetCellValue(event.GetRow(),event.GetCol()) + str("'")
#SQL STATEMENTS
sql_update = "UPDATE " + tbl + " SET " + target_col + " = " + nVal + " WHERE " + key_col + " = " + key_id + ""
#INSERT
sql_update = ("INSERT INTO " + str(self.tbl) + "(" + self.key_col + ")" + "VALUES (" + str("'") + str(val) + str("'") + ")")
#DELETE
sql_update = "DELETE FROM " + tbl + " WHERE " + self.key_col + " = " + self.key_id + ""
#SELECT
sql_query = "SELECT * FROM " + self.tbl
#Excecute
try:
self.cursor.execute(sql_update)
except:
print('Error')
self.db_con.rollback()
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
数据库对于“引用”标识符有不同的表示法(表和列名称等)和值(数据)。
MySQL 使用反引号来引用标识符。对于值,最好使用连接器包提供的参数替换机制:它更有可能正确处理嵌入引号等棘手的情况,并且会降低 SQL 注入的风险。
这是插入的示例;相同的技术可用于其他类型的查询。
如果您有多个列/值对,您可以执行以下操作:
值不仅是用于插入的数据,而且也是我们用于比较的数据,例如在
WHERE子句中。因此,带有过滤器的更新语句可能会像这样创建:但是有时
SET或WHERE子句的目标可能是一列,例如我们想要进行更新基于行中的其他值。例如,此语句会将key_col等于other_key_col的所有行的target_col设置为other_col的值:Databases have different notations for "quoting" identifiers (table and column names etc) and values (data).
MySQL uses backticks to quote identifiers. For values, it's best to use the parameter substitution mechanism provided by the connector package: it's more likely to handle tricky cases like embedded quotes correctly, and will reduce the risk of SQL injection.
Here's an example for inserts; the same techniques can be used for the other types of query.
If you have more than one column / value pair you could do something like this:
Values are not only data for insertion, but also data that we are using for comparison, for example in
WHEREclauses. So an update statement with a filter might be created like this:However sometimes the target of a
SETorWHEREclause may be a column, for example we want to do an update based on other values in the row. For example, this statement will settarget_colto the value ofother_colfor all rows wherekey_colis equal toother_key_col: