擅长:python、mysql、java
<p>在注入时,使用什么操作符、函数、子句或任何其他<a href="http://blog.oudamou.co.cc/2011/07/programmatic-mutualism.html" rel="nofollow">host-language</a>术语并不重要。注入是将数据和语言语句混合在一起的问题,当您将数据插入语句时会发生这种情况。Prepared statement参数将数据和语句分开,因此它们不易被注入。在</p>
<p>至于参数的<code>?</code>与{<cd2>},关于<a href="http://mysql-python.sourceforge.net/MySQLdb-1.2.2/public/MySQLdb.cursors.BaseCursor-class.html#execute" rel="nofollow">Cursor.execute</a>的MySQLdb文档说明如下:</p>
<blockquote>
<code><pre> execute(self, query, args=None)</pre></code>
<p>[...]</p>
<p>Note: If args is a sequence, then %s must be used as the parameter placeholder in the query. If a mapping is used, %(key)s must be used as the placeholder.</p>
</blockquote>