我试图使用Python中的SQLite参数替换IN子句.这是一个完整的运行示例,演示:
import sqlite3
c = sqlite3.connect(":memory:")
c.execute('CREATE TABLE distro (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT)')
for name in 'Ubuntu Fedora Puppy DSL SuSE'.split():
c.execute('INSERT INTO distro (name) VALUES (?)', [ name ] )
desired_ids = ["1", "2", "5", "47"]
result_set = c.execute('SELECT * FROM distro WHERE id IN (%s)' % (", ".join(desired_ids)), ())
for result in result_set:
print result
打印出来:
(1,u'Ubuntu')(2,u'Fedora')(5,u'SuSE')
正如文档所述,"[y]你不应该使用Python的字符串操作来组装你的查询,因为这样做是不安全的;它会使你的程序容易受到SQL注入攻击,"我希望使用参数替换.
当我尝试:
result_set = c.execute('SELECT * FROM distro WHERE id IN (?)', [ (", …