1

我遇到了一个我不知道如何解决的问题。

我有这条线:

parse = cur.execute("SELECT * FROM testdb WHERE Match(name) AGAINST         ('"The.New.York.Times"' IN BOOLEAN MODE);")

如果我运行:

parse = cur.execute("SELECT * FROM testdb WHERE Match(name) AGAINST ('"The.New.York.Times"'     IN BOOLEAN MODE);")

在 mysql 控制台中,它可以工作。但我猜python不喜欢'"The.New.York.Times"'引号。我该如何解决?

而且,我将如何在 python 中使该搜索字符串成为变量?类似的东西

parse = cur.execute("SELECT * FROM testdb WHERE Match(name) AGAINST ('"%s"' IN BOOLEAN MODE);, var1")

?

4

1 回答 1

1

为了避免 sql 注入并获得正确的转义,您应该将查询变量作为第二个参数传递给execute

param = '"The.New.York.Times"'
cur.execute("SELECT * FROM predb WHERE Match(name) AGAINST (%s IN BOOLEAN MODE)", (param, ))
于 2013-08-05T12:29:44.177 回答