Python MySQLdb WHERE SQL LIKE

Question

我最近开始学习用于Web的Python和MySQL,我遇到了以下问题:

我想从mysql数据库中提取一条记录,其中包含我在param部分中输入的任何文本,但是我在进行查询时遇到以下问题:

traceback (most recent call last):
  File "/Users/Strielok/Desktop/test.py", line 13, in <module>
    c.execute("SELECT * FROM data WHERE params LIKE ('%s%') LIMIT 1"  % (param))
TypeError: not enough arguments for format string

这是我的代码:

import MySQLdb



db = MySQLdb.connect (host = "localhost",
                          user = "root",
                          passwd = "root",
                          db = "test")
param = "Test"

par = param

c = db.cursor()

c.execute("SELECT * FROM data WHERE params LIKE ('%s%') LIMIT 1"  % (param))


data = c.fetchall()
print data

c.close()

提前致谢.

Answer 1

直接将数据插入SQL字符串不是最好的方法,因为它很容易注入SQL.您应该将其更改为:

c.execute("SELECT * FROM data WHERE params LIKE %s LIMIT 1", ("%" + param + "%",))