如何安全地参数化动态python-mysql查询?

2024-05-08 12:10:08 发布

您现在位置:Python中文网/ 问答频道 /正文

我想知道如何在python中安全地参数化动态mysql查询。动态的意思是,它的变化取决于if语句的计算方式

我了解如何在python中通过使用逗号而不是百分号来参数化mysql查询,如下所示

c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s", (param1, param2))

下面是一个“动态查询”的示例。我正在寻找一种比使用百分号更安全的方法

    def queryPhotos(self, added_from, added, added_to):
       sql = "select * from photos where 1=1 "
       if added_from is not None:
           sql = sql + "and added >= '%s' " % added_from
       if added is not None:
           sql = sql + "and added = '%s' " % added
       if added_to is not None:
           sql = sql + "and added <= '%s' " % added_to

谢谢你的洞察力


Tags: andtofromnoneaddedsql参数if
1条回答
网友
1楼 · 发布于 2024-05-08 12:10:08

多亏了@Nullman,我才有了答案

    def queryPhotos(self, added_from, added, added_to):
       vars = []

       sql = "select * from photos where 1=1 "
       if added_from is not None:
          sql = sql + "and added >= %s "
          vars.append(added_from)
       if added is not None:
          sql = sql + "and added = %s "
          vars.append(added)
       if added_to is not None:
          sql = sql + "and added <= %s "
          vars.append(added_to)

       vars = tuple(vars)

       results = c.execute(sql, vars)

相关问题 更多 >