简单的 userinfo 表

字符串拼接 sql

import pymysql# 测试环境的数据库连接conn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')cursor = conn.cursor()# 字符串拼接sql，用户名和密码都是乱写sql = 'select username, password from userinfo where username="%s" and password="%s"'sql = sql %('yy" or 1=1 -- ', '11111')cursor.execute(sql)r = cursor.fetchone()print(r)cursor.close()conn.close()# 运行结果，正确取到数值('klvchen', '123456')

正常的写法

# __author__:"klvchen"# date: 2018/12/12import pymysqlconn = pymysql.connect(host='192.168.0.214', port=3306, user='root', passwd='123456', db='tmpdb')cursor = conn.cursor()cursor.execute('select username, password from userinfo where username=%s and password=%s', ('yy" or 1=1 -- ', '11111'))r = cursor.fetchone()print(r)cursor.close()conn.close()# 运行结果，没有取到数值None