First, you should learn how to install the Pymysql module:
Installation 1:
// installation 3 Install Pymysql /* If the PIP does not work properly, it can be reported that: Fatal error in launcher:unable to create process using ' "' may be because PIP is not configured properly and can be used: */ // Try it for a general success, note the previous Python version number
Installation 2: Installing in Pycharm
Pymysql usage: (Connect database, get cursor, execute SQL statement, close cursor, close connection)
ImportPymysql#Get user InputName = input ("user name >>:") PWD= Input ("password >>:")#Verify that the user name and password entered by the user are correct#Take the data from the database and make judgments .#1. Connect to the databaseconn = Pymysql.connect (host="localhost", database="S8", user="Root", password="", charset="UTF8")#not Utf-8 .#there is no link to the light, you need to get the cursor, so I can enter the SQL statement and executecursor =conn.cursor ()#2. Execute SQL statement--select * from UserInfo where name=name and Pwd=pwdsql ="SELECT * from UserInfo WHERE name= '%s ' and pwd= '%s ';"%(name, pwd)Print(SQL) RET= Cursor.execute (SQL)#gets the number of rows affected#close cursor and connectioncursor.close () conn.close ( )ifret:Print("Landing Success")Else: Print("Logon Failure")
Although the user name and password entered has been implemented in comparison with the data in the database, but there is a problem, if the user entered the input-symbol will be commented out after the SQL will not execute, it will bypass the password, for example:
The last space, if a select * from and Name='Egon'is encountered in an SQL statement, then-- the condition is commented out. #1, SQL injection: The user exists, bypassing the password Egon' --Any character #2, SQL injection: The user does not exist, Bypass user with password xxx' or 1=1--any character
How to resolve:
Copy Code#It turns out we're string concatenation of SQL#sql= "SELECT * from UserInfo where name= '%s ' and password= '%s '"% (user,pwd)#print (SQL)#rows=cursor.execute (SQL)#rewritten as (execute helps us do string concatenation, we don't need and must not quote%s again)Sql="SELECT * from UserInfo where name=%s andpassword=%s"#!!! Note that%s needs to be stripped of the quotation marks because Pymysql automatically addsRows=Cursor.execute (sql,[user,pwd])#Pymysql module automatically helps us solve the problem of SQL injection, as long as we follow the rules of Pymysql.
increase, delete, change and check the data of the database:
Continuous update ....
MySQL's Pymysql module related