## Navicat Introduction
# Production environment it is recommended to use the mysql command line, but for the convenience of our tests, you can use the IDE tool # Download link: https: //pan.baidu.com/s/1bpo5mqj grasp: # 1 testing database link + # 2. Create Library # 3 new table, the new constraint field type + + # 4. TABLE Design: foreign key # 5. New Query # 6. backup database / table # Note: Batch footnote: Ctrl + ? key Batch to comment: Ctrl + the Shift + ? key # Minimize the use of such a visual thing, otherwise the late sql statement forgot all about it
## pymysql module
# 1, the installation pip3 install pymysql # 2, link, execute sql, closed (cursor) Import pymysql User = INPUT ( ' User name: ' ) .strip () pwd = INPUT ( ' password: ' ) .strip () # Links Conn = pymysql.connect (Host = ' localhost ' , = User ' the root ' , password = ' 123 ' , Database = ' Egon ' , charset = ' UTF8 ' ) # cursor # Cursor = conn.cursor (Cursor = pymysql .cursors.DictCursor) # execute sql statement sql = ' SELECT * from UserInfo WHERE name = "% s" and password = "% s" ' % (User, pwd) # Note% s requires quotes the cursor.execute (sql) # RES = cursor.fetchone () # get a line RES = cursor.fetchmany (10) # get multiple lines # RES = cursor.fetchall () ### which sets a list of dictionaries, get all the # Print (RES) # Cursor is closed connecting cursor.close () conn.close() IF RES: Print ( ' Login successful ' ) the else : Print ( ' Login failed ' ) # 3, there is a problem sql injection sql statement above login authentication problem Write sql statement when the % by value when the need quotes: sql = "select * from t4 where name = '%s' and pwd = '%s'" % (username, pwd) Risk sql statement above is brought: Example One: username = zekai' # select * from t4 where name = 'zekai' #' and pwd = '' Example Two: username = dbsahvbdsha' or 1=1 # select * from t4 where name = 'dbsahvbdsha' or 1=1 Problems above, we called SQL injection ( ********************************** ) The root causes of problems are: Because too trust user input, lead us to accept user input parameters of time, and no escape for him Solve the SQL injection: 1 . Their values manually entered by the user to escape 2 . Filter automatically using execute () sql = "select * from t4 where name = %s and pwd = %s" cursor.execute(sql,(username, pwd)) # $ ## is inserted into a the cursor.execute (SQL, ( ' LXXX ' , ' 1234 ' )) # ## insert multiple Data = [ ('aaaaa', 'aaa'), ( " Bbbb ' , ' bbb ' ), ('ffff', '666'), ( ' Yyyy ' , ' 888 ' ). ] cursor.executemany(sql, data) try: cursor.execute(sql, ('lxxx', '1234')) # ## deleting, and updating when things need to submit conn.commit () the except Exception AS E: conn.rollback() cursor.lastrowid: the last line of the number of lines # 4, insert the deletion: Oh required to submit Import pymysql, Time # Connection mysql server Conn = pymysql.connect (Host = ' localhost ' , = User ' the root ' , password = ' 123 ' , Database = ' DB1 ' , charset = ' UTF8 ' ) cursor = conn.cursor(cursor=pymysql.cursors.DictCursor) # sql = "delete from t7 where id=%s" #sql = "delete from t7 where id=3" sql = "insert into t4 (name, pwd) values (%s, %s)" # ### is inserted into a plurality of Data = [ ('aaaaa', 'aaa'), ( " Bbbb ' , ' bbb ' ), ('ffff', '666'), ( ' Yyyy ' , ' 888 ' ). ] cursor.executemany(sql, data) # $ ## to insert a # the try: # cursor.execute (SQL, ( 'GGGG', '1234')) # ### deletes and updates when things need to be submitted # conn.commit () # the except Exception AS E : # conn.rollback () conn.commit() print(cursor.lastrowid) # print(conn.insert_id()) cursor.close() conn.close()