MySQL's Pymysql module related

Source: Internet
Author: User

First, you should learn how to install the Pymysql module:
Installation 1:

// installation 3 Install Pymysql /* If the PIP does not work properly, it can be reported that: Fatal error in launcher:unable to create process using ' "' may be because PIP is not configured properly and can be used: */  // Try it for a general success, note the previous Python version number

Installation 2: Installing in Pycharm

Pymysql usage: (Connect database, get cursor, execute SQL statement, close cursor, close connection)

ImportPymysql#Get user InputName = input ("user name >>:") PWD= Input ("password >>:")#Verify that the user name and password entered by the user are correct#Take the data from the database and make judgments .#1. Connect to the databaseconn = Pymysql.connect (host="localhost", database="S8", user="Root", password="", charset="UTF8")#not Utf-8 .#there is no link to the light, you need to get the cursor, so I can enter the SQL statement and executecursor =conn.cursor ()#2. Execute SQL statement--select * from UserInfo where name=name and Pwd=pwdsql ="SELECT * from UserInfo WHERE name= '%s ' and pwd= '%s ';"%(name, pwd)Print(SQL) RET= Cursor.execute (SQL)#gets the number of rows affected#close cursor and connectioncursor.close () conn.close ( )ifret:Print("Landing Success")Else:    Print("Logon Failure")

Although the user name and password entered has been implemented in comparison with the data in the database, but there is a problem, if the user entered the input-symbol will be commented out after the SQL will not execute, it will bypass the password, for example:

The last space, if a select * from and Name='Egon'is encountered in an SQL statement, then-- the condition is commented out.  #1, SQL injection: The user exists, bypassing the password Egon'  --Any character #2, SQL injection: The user does not exist, Bypass user with password xxx'  or 1=1--any character

How to resolve:

Copy Code#It turns out we're string concatenation of SQL#sql= "SELECT * from UserInfo where name= '%s ' and password= '%s '"% (user,pwd)#print (SQL)#rows=cursor.execute (SQL)#rewritten as (execute helps us do string concatenation, we don't need and must not quote%s again)Sql="SELECT * from UserInfo where name=%s  andpassword=%s"#!!! Note that%s needs to be stripped of the quotation marks because Pymysql automatically addsRows=Cursor.execute (sql,[user,pwd])#Pymysql module automatically helps us solve the problem of SQL injection, as long as we follow the rules of Pymysql. 

increase, delete, change and check the data of the database:

Continuous update ....

  

MySQL's Pymysql module related

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.