The most common in SQL injection is string stitching, and developers should pay attention to string concatenation, should not be ignored.
Error usage 1:
sql = "SELECT ID, name from test where id=%d and Name= '%s '"% (ID, name)
Cursor.execute (SQL)
Error usage 2:
sql = "SELECT ID, name from test where id=" + str (ID) + "and name= '" + name + "'"
Cursor.execute (SQL)
Correct usage 1:
args = (ID, name)
sql = "SELECT ID, name from test where id=%s and name=%s"
Cursor.execute (SQL, args)
The Execute () function itself accepts SQL statement parameters, and can handle SQL injection problems through Python's own functions.
Correct usage 2:
Name = mysqldb.escape_string (name)
sql = "SELECT ID, name from test where id=%d and Name= '%s '"% (ID, name)
Cursor.execute (SQL)
The Python module MySQLdb comes with the character escape function escape_string for MySQL, which can be escaped from the string.
For more information, please scan the public number "program of the PO Reed"
How to prevent SQL injection in Python