我的代码如下:
select_query = "SELECT DISTINCT name FROM people WHERE name in (%s)"
parameters = "'"+"','".join(['\\','--','where'])+"'"
cursor.execute(select_query, parameters)
print str(cursor._executed)
我要执行的查询是:
SELECT DISTINCT name FROM people WHERE name in ('\','--','where')
作为最后的手段,我得到了这个参数——它仍然不能完全满足我的要求。Python 转义字符,打印返回:
SELECT DISTINCT name FROM people WHERE name in ('\'\\\',\'--\',\'where\'')
问题是您parameters是一个字符串,其中包含MySQLdb将尝试转义的字符。
您可以自己插入查询字符串...
select_query = "SELECT DISTINCT name FROM people WHERE name in (%s)"
parameters = "'"+"','".join(['\\','--','where'])+"'"
cursor.execute(select_query % parameters)
print str(cursor._executed)
...但这很容易受到 SQL 注入的影响,并且不适用于您的情况,因为它会产生...
SELECT DISTINCT name FROM people WHERE name in ('\','--','where')
...这不是一个有效的查询,正如您从 SO 的语法突出显示中看到的那样。
做这样的事情更安全......
parameters = ['\\','--','where']
placeholders = ','.join(['%s'] * len(parameters))
select_query = "SELECT DISTINCT name FROM people WHERE name in (%s)" % placeholders
cursor.execute(select_query, parameters)
print str(cursor._executed)
...这将产生一个类似...的查询
SELECT DISTINCT name FROM people WHERE name in ('\\','--','where')
...我认为这是你真正想要的。
更新
我希望不要做类似的事情: placeholders = ','.join(['%s'] * len(parameters)) 这就是我在这里发布的原因 - 没有更好的解决方案吗?
好吧,我不确定这是否“更好”,但您可以使用MySQLdb-specificConnection.escape_string()方法或底层_mysql模块的escape_string()功能......
>>> import _mysql
>>> select_query = "SELECT DISTINCT name FROM people WHERE name in (%s)"
>>> parameters = "'"+"','".join(map(_mysql.escape_string, ['\\','--','where']))+"'"
>>> print select_query % parameters
SELECT DISTINCT name FROM people WHERE name in ('\\','--','where')
...但在PEP249Connection.escape_string()中没有提到,因此您将失去跨数据库兼容性。
你能不能把它作为一个原始字符串输入?
r在字符串前面放一个;
print "SELECT DISTINCT name FROM people WHERE name in ('\','--','where')"
SELECT DISTINCT name FROM people WHERE name in ('','--','where')
而与r:
print r"SELECT DISTINCT name FROM people WHERE name in ('\','--','where')"
SELECT DISTINCT name FROM people WHERE name in ('\','--','where')