文章摘要:SQL注入在哪里传递参数值 sql注入通常会在哪些地方传递参数值
SQL注入在%s占位符的字典传参,示例代码: import pymysql db = pymysql.conn […]
SQL注入在%s占位符的字典传参,示例代码:
import pymysql
db = pymysql.connect(host="119.XX.XX.XX",
port=3306,
user="XXXXXXXX",
passwd="XXXXXXXXXXXXX",
db="XXXXXX",
charset='utf8')
# %s 占位符为需要传递的参数,切记不要加''双引号,要不然会报错
sql = "SELECT totalusercount * 1.4 FROM mm_project_uv_outdoor WHERE poiid = %s AND currenttime = %s"
cursor = db.cursor()
# 以下为传递多个参数的用法
cursor.execute(sql,['B00140N5CS','2019-04-23'])
# 传递单个参数时 cursor.execute(sql,'B00140N5CS')
print(cursor.fetchall())
db.close()