Man*_*mer 38 python python-2.7
运行此脚本时:
#! /usr/bin/env python
import MySQLdb as mdb
import sys
class Test:
def check(self, search):
try:
con = mdb.connect('localhost', 'root', 'password', 'recordsdb');
cur = con.cursor()
cur.execute( "SELECT * FROM records WHERE email LIKE '%s'", search )
ver = cur.fetchone()
print "Output : %s " % ver
except mdb.Error, e:
print "Error %d: %s" % (e.args[0],e.args[1])
sys.exit(1)
finally:
if con:
con.close()
test = Test()
test.check("test")
我得到一个错误:
./lookup
Traceback (most recent call last):
File "./lookup", line 27, in <module>
test.check("test")
File "./lookup", line 11, in creep
cur.execute( "SELECT * FROM records WHERE email LIKE '%s'", search )
File "/usr/local/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 187, in execute
query = query % tuple([db.literal(item) for item in args])
TypeError: not all arguments converted during string formatting
我不明白为什么.我正在尝试进行参数化查询,但这只不过是一种痛苦.我对Python有些新意,所以这可能是一个明显的问题.
kev*_*sa5 82
而不是这个:
cur.execute( "SELECT * FROM records WHERE email LIKE '%s'", search )
试试这个:
cur.execute( "SELECT * FROM records WHERE email LIKE %s", [search] )
请参阅MySQLdb 文档.原因是execute第二个参数表示要转换的对象列表,因为在参数化查询中可以有任意数量的对象.在这种情况下,你只有一个,但它仍然需要是一个可迭代的(一个元组而不是一个列表也可以).
Moh*_*ouf 18
你可以试试这段代码:
cur.execute( "SELECT * FROM records WHERE email LIKE '%s'", (search,) )
你可以看到文档
小智 6
'%'关键字非常危险,因为它是"SQL注入攻击"的主要原因.
所以你只需使用这段代码.
cursor.execute("select * from table where example=%s", (example,))
要么
t = (example,)
cursor.execute("select * from table where example=%s", t)
如果你想尝试插入表,试试这个.
name = 'ksg'
age = 19
sex = 'male'
t = (name, age, sex)
cursor.execute("insert into table values(%s,%d,%s)", t)
| 归档时间: |
|
| 查看次数: |
83440 次 |
| 最近记录: |