擅长:python、mysql、java
<p>作为Bruno答案的扩展,您的MySQL客户端库可能支持指定命名参数的几种不同格式中的任何一种。在<a href="http://www.python.org/dev/peps/pep-0249/">PEP 249 (DB-API)</a>中,您可以编写如下查询:</p>
<h3>“qmark”</h3>
<pre><code>>>> cursor.execute("SELECT spam FROM eggs WHERE lumberjack = ?", (lumberjack,))
</code></pre>
<h3>“数字”</h3>
<pre><code>>>> cursor.execute("SELECT spam FROM eggs WHERE lumberjack = :1", (lumberjack,))
</code></pre>
<h3>“命名”</h3>
<pre><code>>>> cursor.execute("SELECT spam FROM eggs WHERE lumberjack = :jack", {'jack': lumberjack})
</code></pre>
<h3>“格式”</h3>
<pre><code>>>> cursor.execute("SELECT spam FROM eggs WHERE lumberjack = %s", (lumberjack,))
</code></pre>
<h3>“pyformat”</h3>
<pre><code>>>> cursor.execute("SELECT spam FROM eggs WHERE lumberjack = %(jack)s", {'jack': lumberjack})
</code></pre>
<p>通过查看<code>paramstyle</code>模块级变量,您可以看到客户端库支持哪些:</p>
<pre><code>>>> clientlibrary.paramstyle
'pyformat'
</code></pre>
<p>对于处理可能不安全的数据,上述任何选项都应该是正确的。正如布鲁诺指出的,请不要试图自己插入参数。通常使用的客户端库在正确处理数据方面比我们凡人都要好得多</p>