我尝试使用以下代码在MySQL表中对名为N_NUMBER的列进行简单检索:
from os.path import join, dirname
from dotenv import load_dotenv
import MySQLdb
TABLE_NAME = 'testmaster'
dotenv_path = join(dirname(__file__), '.env')
load_dotenv(dotenv_path) # loads the .env
dbName = os.environ.get('DB_NAME')
mydb = MySQLdb.connect(host=os.environ.get('DB_HOST'), user=os.environ.get('DB_USER'), passwd=os.environ.get('DB_PASS'), db=dbName)
cursor = mydb.cursor()
cursor.execute("SELECT N_NUMBER FROM %s", (TABLE_NAME,))
我每次都会继续获得相同的Traceback,这是:
Traceback (most recent call last):
File "updateMaster.py", line 101, in <module>
cursor.execute("SELECT 'N_NUMBER' FROM %s", (TABLE_NAME,))
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
self.errorhandler(self, exc, value)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''testmaster'' at line 1")
我还尝试使用pyformat样式的语法,如.execute()方法的文档所推荐,但仍然收到相同的错误。 pyformat样式看起来像:
cursor.execute("SELECT N_NUMBER FROM %(table_name)s", {'table_name':TABLE_NAME})
当我尝试直接将表名插入命令字符串时,该命令有效,导致我怀疑它与%s有关。出了什么问题?
答案 0 :(得分:2)
您无法参数化表格或列名称。虽然认识到SQL Injection攻击的可能性,但确实如此:
cursor.execute("SELECT N_NUMBER FROM {}".format(TABLE_NAME))