Suppose SQL is an article that searches for user A, SQL would look like this:
SELECT * FROM table where owner= ' A ';
SQL injection attackers modify user names to implement attacks, such as changing A to a ' or 1 = ' 1
The combined SQL statement:
SELECT * FROM table where owner= ' A ' or 1 = ' 1 ';
This will allow you to get all the user's articles
It can be seen that the SQL attack is to falsify part of the data content into SQL statements, such as the above or 1 = forged into SQL statements to implement the attack
The forgery method is to add quotation marks to the content, so the method of preventing SQL injection is to escape the quotes inside the parameters, for example, to change the user name to A\ ' or 1=\ ' 1 to prevent such a SQL attack
Quotation marks include single and double quotation marks
Python's MySQLdb module has a specially escaped function:
Import MySQLdb def Safe (s): return Mysqldb.escape_string (s)
How to prevent SQL injection attacks