>>> Import MySQLdb
>>> Conn=mysqldb.connect (user= ' root ', passwd= ' root ')
>>> Cur=conn.cursor ()
>>> sql = "Select User from Mysql.user where user= '%s ' and password = '%s '";
>>> cur.execute (sql% (' AAA ', ' AAA '))
0L
>>> cur.execute (sql% ("AAA", "AAA ' or '" = ' ")) #SQL注入
3L
>>> cur._executed #打印刚执行的SQL
"Select User from Mysql.user where user= ' aaa ' and password = ' aaa ' or ' = '"
>>> Cur.fetchall ()
(' root ', '), (' Root ', '), (' Root ',))
>>> sql= "Select User from Mysql.user where user=%s and password =%s"
>>> cur.execute (SQL, ("AAA", "AAA ' or '" = ') ") #SQL injection failed. passing the variable as a parameter to execute will automatically escape the Execute function, noting that all placeholders are%s and no quotation marks are required on both sides of%s, and execute automatically determines whether or not to add quotation marks based on the type of argument you pass.
0L
>>> cur._executed
"Select User from Mysql.user where user= ' aaa ' and password = ' aaa\\ ' or \ \ \ ' =\\ '"
MYSQLDB anti-SQL injection, printing executed SQL at the same time