我想知道如何在python中安全地参数化动态mysql查询。动态的意思是,它的变化取决于if语句的计算方式
我了解如何在python中通过使用逗号而不是百分号来参数化mysql查询,如下所示
c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s", (param1, param2))
下面是一个“动态查询”的示例。我正在寻找一种比使用百分号更安全的方法
def queryPhotos(self, added_from, added, added_to):
sql = "select * from photos where 1=1 "
if added_from is not None:
sql = sql + "and added >= '%s' " % added_from
if added is not None:
sql = sql + "and added = '%s' " % added
if added_to is not None:
sql = sql + "and added <= '%s' " % added_to
谢谢你的洞察力
多亏了@Nullman,我才有了答案
相关问题 更多 >
编程相关推荐