我正在 django 中创建一个网站,我希望用户在其中输入表 id 和组 id,然后返回放入的表和组。但是,我只找到了容易发生 SQL 注入的语句。有人知道如何解决这个问题吗?
mycursor = mydb.cursor()
qry = "SELECT * from %s WHERE group_id = %i;" % (assembly_name, group_id)
mycursor.execute(qry)
return mycursor.fetchall()
或者做一些能达到同样目的的事情?
我试过做这样的事情:
assembly_id = 'peptides_proteins_000005'
group_id = 5
mycursor = mydb.cursor()
mycursor.execute("SELECT * FROM %s WHERE group_id = %s", [assembly_id, group_id])
myresult = mycursor.fetchall()
但我收到此错误:
1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''peptides_proteins_000005' WHERE group_id = 5' at line 1