擅长:python、mysql、java
<p>这里的问题是没有将通配符字符串文本正确绑定到查询字符串。你应该在这里使用准备好的声明。假设您正在使用<code>psycopg2</code>,您可以尝试:</p>
<pre><code>import psycopg2
searchBook = request.form['searchBook']
sql = """SELECT *
FROM books_table
WHERE isbn LIKE %s OR title LIKE %s OR year::text LIKE %s"""
param = "%" + searchBook + "%"
found = db.execute(sql, (searchBook, searchBook, searchBook,))
</code></pre>