1, in real terms
MySql statement is user-spliced string
2, an example
Import pymysql # get user input information username = the INPUT ( " Please enter your user name: " ) pwd = the INPUT ( " Please enter your password: " ) # connect to the database conn = pymysql.connect ( Host = ' localhost ' , Port = 3306 , the User = ' the root ' , password = ' @ WSX3edc ' , Database = ' UserInfo ' , charset =' UTF8 ' ) # Get cursor Cursor = conn.cursor () SQL = " SELECT * WHERE info from name = '% S' and password = '% S'; " % (username, pwd) # execute statement MySql Print (SQL ) RET = cursor.execute (SQL) IF RET: Print ( " Login successful! " ) the else : Print ( " Login failed! " ) # close the cursor cursor.close () # close the connection conn.close ()
Injection statement
Input sentence Losser ' or. 1 =. 1 # output sql statement SELECT * from info WHERE name = ' Losser ' or . 1 =. 1 # ' and password = ''; Note: I use pycharm connected MySql, sql statement pycharm in Notes is: # If you do not connect to the database by pycharm, but directly connected via pymysql comment should be: - the SELECT * from info the WHERE name = ' Losser ' or 1 = 1 1 = 1 is never true statement # 'and password =' ' ;
3, to solve the problem injection -> character splice module by pymysql
Import pymysql # get user input information username = the INPUT ( " Please enter your user name: " ) password = the INPUT ( " Please enter your password: " ) # connect to the database conn = pymysql.connect ( Host = ' localhost ' , Port = 3306 , the User = ' the root ' , password = ' @ WSX3edc ' , Database = ' UserInfo ' , charset =' UTF8 ' ) # Get cursor Cursor = conn.cursor () # sql statement sql = ' SELECT * WHERE info from name and password =% S =% S; ' # execute sql statement sql statement splicing performed by pymysql RET = Cursor .execute (SQL, [username, password]) IF RET: Print ( " ! Login successful " ) the else : Print ( " Login failed! " ) # close the cursor cursor.close () # close the connection conn.close ()