擅长:python、mysql、java
<pre><code>def permCount(permList):
condition = ' OR '.join(['(A=? AND B=? AND C=?)'
for row in permList])
sql = "SELECT Count(*) FROM Table WHERE {c}".format(
c=condition)
args = sum(permList, [])
cursor.execute(sql, args)
</code></pre>
<p>使用<a href="http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html" rel="noreferrer">parametrized SQL</a>。这意味着不要插入具有字符串格式的值,而是使用placemarkers(例如<code>?</code>),然后将参数作为第二个<em>参数</em>提供给<code>cursor.execute</code>。</p>
<p>这是更简单的代码,可以防止<a href="http://en.wikipedia.org/wiki/SQL_injection" rel="noreferrer">SQL injection</a>。</p>