python3 pymysql模塊sql注入

#!/usr/bin/python # -*- coding:utf-8 -*- import pymysql user = input('請輸入用戶名:') pwd = input('請輸入密碼:') # 獲取數據 conn = pymysql.Connect( host='127.0.0.1', port=3306, user='root', password="666", database="exercise", charset='utf8') cursor = conn.cursor() v = cursor.execute('select * from userinfo where username="%s" and password="%s" ' % (user, pwd)) # (-- 槓槓空格表示結束),sql注入第一種狀況,只要輸入正確的用戶名,就能夠免密碼的認證 # user = lily" -- # pwd= sdfsdf # 'select * from userinfo where username="lily" -- " and password="sdfsdf"' # (-- 槓槓空格表示結束) (1=1爲True) sql注入第二種狀況 where後面只要有True,結果都爲True # user = asdfasdf" or 1=1 -- # pwd= asdfasdf # 'select * from userinfo where username="asdfasdf" or 1=1 -- " and password="asdfasdf"' result = cursor.fetchone() print(result) # (1, 'lily', '666') cursor.close() conn.close()

#!/usr/bin/python # -*- coding:utf-8 -*- import pymysql user = input('請輸入用戶名:') pwd = input('請輸入密碼:') # 獲取數據 conn = pymysql.Connect( host='127.0.0.1', port=3306, user='root', password="666", database="exercise", charset='utf8') cursor = conn.cursor() # v受影響行數 v = cursor.execute('select * from userinfo where username=%s and password=%s', [user, pwd]) # 這樣寫,能夠防止sql注入 result = cursor.fetchone() print(result) # (1, 'lily', '666') cursor.close() conn.close()

#!/usr/bin/python # -*- coding:utf-8 -*- import pymysql # 獲取數據 conn = pymysql.Connect( host='127.0.0.1', port=3306, user='root', password="666", database="exercise", charset='utf8') cursor = conn.cursor() cursor.execute('insert into class(caption) values(%s)', ['新班級']) # 這樣寫,能夠防止sql注入 conn.commit() new_class_id = cursor.lastrowid # 獲取新增數據自增ID  cursor.execute('insert into student(sname, gender, class_id) values(%s, %s, %s)', ['lily', '女', new_class_id]) conn.commit() cursor.close() conn.close()