uot;day46",)
print("连接服务器成功!")
cursor = conn.cursor(pymysql.cursors.DictCursor)
user = input("username:")
password = input("password:")
count = cursor.execute("select *from user where name = '%s' and password = '%s'" % (user,password))
if count:
print("登录成功!")
else:
print("登录失败!")
except Exception as e:
print(type(e),e)
finally:
if cursor:cursor.close()
if conn: conn.close()
上述代码有被注入攻击的危险
尝试在用户名中输入以下内容,密码随意
jerry' — ass
或者连用户名都不用写
' or 1 = 1 -- asaa
解决方案:
? 1.客户端在发送sql给服务器前进行re判断
? 这样的问题在于一些程序可以模拟客户端直接发送请求给服务器
? 2.在服务器端将sql交给mysql是作进一步处理,相关的代码其实pymysql已经做了封装
? 我们只要保证不要自己来拼接sql语句即可,将拼接参数操作交给pymysql.
try:
conn = pymysql.connect(host="127.0.0.1",port=3306,user="root",password="",db="day46",)
print("连接服务器成功!")
cursor = conn.cursor(pymysql.cursors.DictCursor)
user = input("username:")
password = input("password:")
sql = "select *from user where name = %s and password = %s"
print(sql)
count = cursor.execute(sql,(user,password)) # 参数交给模块
if count:
print("登录成功!")
else:
print("登录失败!")
except Exception as e:
print(type(e),e)
finally:
if cursor:cursor.close()
if conn: conn.close()
增删改
import pymysql
# 1.建立连接
try:
conn = pymysql.connect(host="127.0.0.1",port=3306,user="root",password="",db="day46",)
print("连接服务器成功!")
cursor = conn.cursor(pymysql.cursors.DictCursor)
#增
#sql = "insert into user values(null,%s,%s,%s)"
#count = cursor.execute(sql,("tom","man","123321"))
# 一次性插入多条记录
#sql = "insert into user values (null,%s,%s,%s)"
#count = cursor.executemany(sql, [("周芷若","woman","123"), ("赵敏","woman","321")])
#删
# count = cursor.execute("delete from user where id = 1")
#改
count = cursor.execute("update user set name = '刘大炮' where id = 1")
if count:
print("执行成功!")
else:
print("执行失败!")
# 获取最新的id
# print(cursor.lastrowid)
except Exception as e:
print(type(e),e)
finally:
if cursor:cursor.close()
if conn: conn.close()
强调:pymysql 对于数据的增删改默认都不会生效,必须调用链接对象的commit()来提交修改 或者在创建链接对象时指定为自动提交;
conn.commit()
#或者创建链接对象时指定为自动提交
conn = pymysql.connect(host="127.0.0.1",port=3306,user="root",password="",db="day46",autocommit=True)