python 下安裝pymysql應用

前言

pymsql是Python中操做MySQL的模塊，其使用方法和MySQLdb幾乎相同。但目前pymysql支持python3.x然後者不支持3.x版本。

本文測試python版本：2.7.11。mysql版本：5.6.24

1、安裝

1	pip3 install pymysql

2、使用操做

一、執行SQL

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

#!/usr/bin/env pytho # -*- coding:utf-8 -*- import pymysql    # 建立鏈接 conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1 ', charset=' utf8') # 建立遊標 cursor = conn.cursor()    # 執行SQL，並返回收影響行數 effect_row = cursor.execute( "select * from tb7" )    # 執行SQL，並返回受影響行數 #effect_row = cursor.execute("update tb7 set pass = '123' where nid = %s", (11,))    # 執行SQL，並返回受影響行數,執行屢次 #effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u1","u1pass","11111"),("u2","u2pass","22222")])       # 提交，否則沒法保存新建或者修改的數據 conn.commit()    # 關閉遊標 cursor.close() # 關閉鏈接 conn.close()

注意：存在中文的時候，鏈接須要添加charset='utf8'，不然中文顯示亂碼。

二、獲取查詢數據

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ" import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor() cursor.execute( "select * from tb7" )   # 獲取剩餘結果的第一行數據 row_1 = cursor.fetchone() print row_1 # 獲取剩餘結果前n行數據 # row_2 = cursor.fetchmany(3)   # 獲取剩餘結果全部數據 # row_3 = cursor.fetchall()   conn.commit() cursor.close() conn.close()

三、獲取新建立數據自增ID

能夠獲取到最新自增的ID，也就是最後插入的一條數據ID

1 2 3 4 5 6 7 8 9 10 11 12 13 14

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ" import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor() effect_row = cursor.executemany( "insert into tb7(user,pass,licnese)values(%s,%s,%s)" , [( "u3" , "u3pass" , "11113" ),( "u4" , "u4pass" , "22224" )]) conn.commit() cursor.close() conn.close() #獲取自增id new_id = cursor.lastrowid      print new_id

四、移動遊標

操做都是靠遊標，那對遊標的控制也是必須的

1 2 3 4

注：在fetch數據時按照順序進行，可使用cursor.scroll(num,mode)來移動遊標位置，如：   cursor.scroll( 1 ,mode = 'relative' ) # 相對當前位置移動 cursor.scroll( 2 ,mode = 'absolute' ) # 相對絕對位置移動

 

五、fetch數據類型

關於默認獲取的數據是元祖類型，若是想要或者字典類型的數據，即：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ" import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') #遊標設置爲字典類型 cursor = conn.cursor(cursor = pymysql.cursors.DictCursor) cursor.execute( "select * from tb7" )   row_1 = cursor.fetchone() print row_1　　 #{u'licnese': 213, u'user': '123', u'nid': 10, u'pass': '213'}   conn.commit() cursor.close() conn.close()

六、調用存儲過程

a、調用無參存儲過程

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ"   import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') #遊標設置爲字典類型 cursor = conn.cursor(cursor = pymysql.cursors.DictCursor) #無參數存儲過程 cursor.callproc( 'p2' )  #等價於cursor.execute("call p2()")   row_1 = cursor.fetchone() print row_1     conn.commit() cursor.close() conn.close()

b、調用有參存儲過程

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ"   import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor(cursor = pymysql.cursors.DictCursor)   cursor.callproc( 'p1' , args = ( 1 , 22 , 3 , 4 )) #獲取執行完存儲的參數,參數@開頭 cursor.execute( "select @p1,@_p1_1,@_p1_2,@_p1_3" )  #{u'@_p1_1': 22, u'@p1': None, u'@_p1_2': 103, u'@_p1_3': 24} row_1 = cursor.fetchone() print row_1     conn.commit() cursor.close() conn.close()

3、關於pymysql防注入

 一、字符串拼接查詢，形成注入

正常查詢語句：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ" import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor() user = "u1" passwd = "u1pass" #正常構造語句的狀況 sql = "select user,pass from tb7 where user='%s' and pass='%s'" % (user,passwd) #sql=select user,pass from tb7 where user='u1' and pass='u1pass' row_count = cursor.execute(sql) row_1 = cursor.fetchone() print row_count,row_1   conn.commit() cursor.close() conn.close()

構造注入語句：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ" import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor()   user = "u1' or '1'-- " passwd = "u1pass" sql = "select user,pass from tb7 where user='%s' and pass='%s'" % (user,passwd)   #拼接語句被構形成下面這樣，永真條件，此時就注入成功了。所以要避免這種狀況需使用pymysql提供的參數化查詢。 #select user,pass from tb7 where user='u1' or '1'-- ' and pass='u1pass'   row_count = cursor.execute(sql) row_1 = cursor.fetchone() print row_count,row_1     conn.commit() cursor.close() conn.close()

 

 二、避免注入，使用pymysql提供的參數化語句

正常參數化查詢

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ"   import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor() user = "u1" passwd = "u1pass" #執行參數化查詢 row_count = cursor.execute( "select user,pass from tb7 where user=%s and pass=%s" ,(user,passwd)) row_1 = cursor.fetchone() print row_count,row_1   conn.commit() cursor.close() conn.close()

構造注入，參數化查詢注入失敗。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ" import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor()   user = "u1' or '1'-- " passwd = "u1pass" #執行參數化查詢 row_count = cursor.execute( "select user,pass from tb7 where user=%s and pass=%s" ,(user,passwd)) #內部執行參數化生成的SQL語句，對特殊字符進行了加\轉義，避免注入語句生成。 # sql=cursor.mogrify("select user,pass from tb7 where user=%s and pass=%s",(user,passwd)) # print sql #select user,pass from tb7 where user='u1\' or \'1\'-- ' and pass='u1pass'被轉義的語句。   row_1 = cursor.fetchone() print row_count,row_1   conn.commit() cursor.close() conn.close()

結論：excute執行SQL語句的時候，必須使用參數化的方式，不然必然產生SQL注入漏洞。

三、使用存mysql儲過程動態執行SQL防注入

使用MYSQL存儲過程自動提供防注入，動態傳入SQL到存儲過程執行語句。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

delimiter \\ DROP PROCEDURE IF EXISTS proc_sql \\ CREATE PROCEDURE proc_sql (    in nid1 INT ,    in nid2 INT ,    in callsql VARCHAR( 255 )    ) BEGIN    set @nid1 = nid1;    set @nid2 = nid2;    set @callsql = callsql;      PREPARE myprod FROM @callsql; - -   PREPARE prod FROM 'select * from tb2 where nid>? and nid<?' ;  傳入的值爲字符串，？爲佔位符 - -   用@p1，和@p2填充佔位符      EXECUTE myprod USING @nid1,@nid2;    DEALLOCATE prepare myprod;   END\\ delimiter ;

1 2 3 4

set @nid1 = 12 ; set @nid2 = 15 ; set @callsql = 'select * from tb7 where nid>? and nid<?' ; CALL proc_sql(@nid1,@nid2,@callsql)

pymsql中調用

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ" import pymysql   conn = pymysql.connect(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1') cursor = conn.cursor() mysql = "select * from tb7 where nid>? and nid<?" cursor.callproc( 'proc_sql' , args = ( 11 , 15 , mysql))   rows = cursor.fetchall() print rows #((12, 'u1', 'u1pass', 11111), (13, 'u2', 'u2pass', 22222), (14, 'u3', 'u3pass', 11113)) conn.commit() cursor.close() conn.close()

4、使用with簡化鏈接過程

每次都鏈接關閉很麻煩，使用上下文管理，簡化鏈接過程

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

#! /usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "TKQ"   import pymysql import contextlib #定義上下文管理器，鏈接後自動關閉鏈接 @contextlib .contextmanager def mysql(host = '127.0.0.1' , port = 3306 , user = 'root' , passwd = ' ', db=' tkq1 ',charset=' utf8'):    conn = pymysql.connect(host = host, port = port, user = user, passwd = passwd, db = db, charset = charset)    cursor = conn.cursor(cursor = pymysql.cursors.DictCursor)    try :      yield cursor    finally :      conn.commit()      cursor.close()      conn.close()   # 執行sql with mysql() as cursor:    print (cursor)    row_count = cursor.execute( "select * from tb7" )    row_1 = cursor.fetchone()    print row_count, row_1

總結

以上就是關於Python中pymysql模塊的所有內容，但願對你們學習或使用python能有必定的幫助，若是有疑問你們能夠留言交流。