比如:address字符串中 包含 \ ' " 時候 在拼接sql語句時,必須在這些字符前加上轉義字符 \ 纔可以不影響sql語句,可以用字符串處理函數將對應的字符替換成帶有轉義的字符即可
address = address.replace("\\","\\\\")
address = address.replace("'","\\'")
address = address.replace('"','\\"')
特殊的字符可能會引起sql的注入,我們應該儘量使用mysql提供的接口去傳參,而不是 自己去拼接sql語句
例如:mysql官方手冊api 就解釋的很清處
https://dev.mysql.com/doc/connector-python/en/connector-python-reference.html
比如已python爲例:
# 插入單條數據
insert_stmt = (
"INSERT INTO employees (emp_no, first_name, last_name, hire_date) "
"VALUES (%s, %s, %s, %s)"
)
data = (2, 'Jane', 'Doe', datetime.date(2012, 3, 23))
cursor.execute(insert_stmt, data)
# 字典方式
select_stmt = "SELECT * FROM employees WHERE emp_no = %(emp_no)s"
cursor.execute(select_stmt, { 'emp_no': 2 })
data = [
('Jane', date(2005, 2, 12)),
('Joe', date(2006, 5, 23)),
('John', date(2010, 10, 3)),
]
# 插入多條數據
stmt = "INSERT INTO employees (first_name, hire_date) VALUES (%s, %s)"
cursor.executemany(stmt, data)
# 實際是這樣的結果
#INSERT INTO employees (first_name, hire_date)
#VALUES ('Jane', '2005-02-12'), ('Joe', '2006-05-23'), ('John', '2010-10-03')