SQL statement, pymysql module, sql injection problems

First, the full version of SQL query statement

select 
    distinct post,avg(salary) 
from 
    table 
where 
    id > 1 
group by
    post`
having 
    avg(salary)>100
order by 
    avg(salary)
limit 5,5

group by: After grouping, the grouping is based on the smallest identifiable unit, can no longer obtain information directly to other fields, if you want to obtain additional information fields, only indirectly by acquiring additional methods, the above situation requires you to set strict mode, if the entire SQL statement has no group by default is a whole group.

Second, aggregate functions

• max
• me
• avg
• sum
• count

ps: polymerizable function only after the packet

Three, distinct and limit

distinct (de-emphasis) must meet the data de-duplication is exactly the same case, in order to achieve the effect of weight, if you check out the data contained in the primary key field, it is impossible to re success.

limit 5; write only one parameter, starting from the first show 5

limit 5,5; starting from the fifth, excluding Article V, showing five

ps: MySQL is not case sensitive

Fourth, fuzzy matching, and regular expression match

1, fuzzy match

• %: Any number of characters

• _: Any single character

2, regular expressions

where name regexp "^j.*(n|y)$"

Denotes beginning j, n end or y, the intermediate is any character

Indicates that matches any character except a newline

* Indicates o to infinity

+ Represents 1 to infinity

? 0 or 1

^ What does it begin with

$ Express what end

Recalling the re module

findall: packet priority, the brackets will be matched to the regular priority return

match: scratch match, a match to return

search: the whole match, a match to return

res = match ( '^ j * (n |. y) $', 'Jason')

print(res.group())

Five, concat and concat_ws

concat and before the packets with concat_ws

• concat (name, ':', age, ':', salary) for string concatenation

• concat_ws ( ':', name, age, salary) is consistent with the above results

Join method is similar to the string, but differentiated: join method can only be used between the strings.

':'. Join ([ '1', 2, '3']) are the numbers because, being given

六、exists

keyword indicates that there exists, exists in the use of the keyword, the inner query does not return records check, but return a true or false value, True or False.

When returning True, the outer query will query

When returning False, not the outer query query

select * from emp where exists (select id from dep where id>203);

Seven, pymysql module

import pymysql

conn = pymysql.connect(
    host='127.0.0.1',
    port=3306,
    user='root',
    passwoord='123',
    database='day38',
    charset='utf8'  # 不能加—
)
cursor=conn.cursor(pymysql.cursors.DictCursor)  # 产生一个游标对象，以字典的形式返回查询结果
sql = 'select * from teacher'
res = cursor.execute(sql)  # 执行传入的sql语句
print(res)  # res是执行语句返回的数据条数
print(cursor.fetchone())  # 只获取一条数据
print(cursor.fetchone())  # 只获取一条数据
print(cursor.fetchone())  # 只获取一条数据
cursor.scroll(2,'absolute')  # 控制光标移动 absolute相对于起始位置，往后移动几位
cursor.scroll(1,'relative')  # relative相对于当前位置，往后移动几位
print(cursor.fetchall())  # 获取所有的数据，返回的结果是一个列表

cursor.close()
conn.close()

Eight, sql injection problems

import pymysql


conn = pymysql.connect(
    host = '127.0.0.1',
    port = 3306,
    user = 'root',
    password = '123',
    database = 'day38',
    charset = 'utf8',  # 编码千万不要加- 如果写成了utf-8会直接报错
    autocommit = True  # 这个参数配置完成后  增删改操作都不需要在手动加conn.commit了
)
cursor = conn.cursor(pymysql.cursors.DictCursor)  # 产生一个游标对象  以字典的形式返回查询出来的数据 键是表的字段  值是表的字段对应的信息



# sql = 'insert into user(name,password) values("jerry","666")'
# sql = 'update user set name = "jasonhs" where id = 1'
sql = 'delete from user where id = 6'
cursor.execute(sql)


"""
增删改操作 都必须加一句
conn.commit()操作
"""
# conn.commit()
# username = input('username>>>:')
# password = input('password>>>:')
# sql = "select * from user where name =%s and password = %s"
# print(sql)
# res = cursor.execute(sql,(username,password))  # 能够帮你自动过滤特殊符号 避免sql注入的问题
# # execute 能够自动识别sql语句中的%s 帮你做替换
# if res:
#     print(cursor.fetchall())
# else:
#     print('用户名或密码错误')


"""
sql注入 就是利用注释等具有特殊意义的符号 来完成一些骚操作
后续写sql语句  不要手动拼接关键性的数据
而是让excute帮你去做拼接
"""

# 不要手动去拼接查询的sql语句
username = input(">>>:").strip()
password = input(">>>:").strip()
sql = "select * from user where username='%s' and password='%s'"%(username,password)

# 用户名正确
username >>>: jason' -- jjsakfjjdkjjkjs
# 用户名密码都不对的情况
username >>>: xxx' or 1=1 --asdjkdklqwjdjkjasdljad
password >>>: ''

Nine, additions and deletions

# 增
sql = "insert into user(username,password) values(%s,%s)"
rows = cursor.excute(sql,('jason','123'))

# 修改
sql = "update user set username='jasonDSB' where id=1"
rows = cursor.excute(sql)

"""
增和改单单执行excute并不会真正影响到数据，需要再执行conn.commit()才可以完成真正的增改
"""

# 一次插入多行记录
res = cursor,excutemany(sql,[(),(),()]