11

此脚本旨在充当命令行前端,以将记录添加到本地托管的 MySQL 数据库。

我收到此错误:

mysql.connector.errors.ProgrammingError: 1054 (42S22): Unknown column 'watermelon' in 'field list'

但是西瓜是我要输入的值,而不是列名!

这是脚本:

#! /usr/bin/python

#use command line as front end to enter new rows into locally hosted mysql database

import mysql.connector

#create inputs
new_fruit = raw_input('What fruit do you want to add? ')
new_fruit_type = raw_input('Which type of ' + new_fruit + '? ')

#connect to dbase
conn = mysql.connector.connect(user='root', password='xxxx', database='play')

#instansiate cursor
cursor = conn.cursor()

#define sql statement
add_record = "INSERT INTO fruit (name, variety) VALUES (%s, %s)" % (new_fruit, new_fruit_type)

#execute sql
cursor.execute(add_record)

#close out
conn.commit()
cursor.close()
conn.close()

和表模式:

mysql> describe fruit;
+---------+----------+------+-----+---------+----------------+
| Field   | Type     | Null | Key | Default | Extra          |
+---------+----------+------+-----+---------+----------------+
| id      | int(11)  | NO   | PRI | NULL    | auto_increment |
| name    | char(30) | YES  |     | NULL    |                |
| variety | char(30) | YES  |     | NULL    |                |
+---------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
4

2 回答 2

12 
"INSERT INTO fruit (name, variety) VALUES (%s, %s)" % ("watermelon", "melon")

字面上变成

INSERT INTO fruit (name, variety) VALUES (watermelon, melon)

而不是字符串,watermelon并且melon是列。要解决此问题,请在您的%s.

"INSERT INTO fruit (name, variety) VALUES ('%s', '%s')" % (new_fruit, new_fruit_type)

但是,您应该将其运行为:

cursor.execute("INSERT INTO fruit (name, variety) VALUES (%s, %s)", (new_fruit, new_fruit_type));

请注意,我们去掉了周围的引号,%s并将变量作为第二个参数传递给execute方法。Execute防止变量中的 sql 注入以及将字符串括在引号中。

有关详细信息,请参阅http://mysql-python.sourceforge.net/MySQLdb.html#some-examples

于 2013-10-23T14:10:45.040 回答
3

问题在这里:

add_record = "INSERT INTO fruit (name, variety) VALUES (%s, %s)" % (new_fruit, new_fruit_type)

想象一下这将产生的查询:

INSERT INTO fruit (name, variety) VALUES (watermelon, something_else)

这些价值不再是价值!它们看起来更像列引用 ( Unknown column 'watermelon' in 'field list')

相反,您应该使用准备好的语句:

query = "INSERT INTO fruit (name, variety) VALUES (%s, %s)"
cursor.execute(query, (new_fruit, new_fruit_type))

这将自动为您处理参数化,并防止SQL 注入

于 2013-10-23T14:15:49.957 回答