<p>应使用SQL参数:</p>
<pre><code>cuDatabase.execute ("""
SELECT Result
FROM resultstable
WHERE QuizID = ?
AND UserID = ?""", (Quizno, UserID))
</code></pre>
<p>占位符<code>?</code>将被您的值替换,自动引用这些值以防止SQL注入攻击(和操作错误)。</p>
<p>引用<a href="https://docs.python.org/2/library/sqlite3.html" rel="nofollow">^{<cd2>} module documentation</a>:</p>
<blockquote>
<p>Usually your SQL operations will need to use values from Python variables. You shouldn’t assemble your query using Python’s string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack (see <a href="http://xkcd.com/327/" rel="nofollow">http://xkcd.com/327/</a> for humorous example of what can go wrong).</p>
<p>Instead, use the DB-API’s parameter substitution. Put <code>?</code> as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s <code>execute()</code> method. (Other database modules may use a different placeholder, such as <code>%s</code> or <code>:1</code>.)</p>
</blockquote>
<p>如果此查询未返回结果,请使用单独的查询向数据库询问其他测验;如果使用<code>OR</code>而不是<code>AND</code>,否则,您将同时获得<em>其他</em>用户已完成的测验结果,<em>和</em>此</em>用户已完成的任何<em>操作。</p>