sql = "INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) " \
"VALUES(%s, '%s', '%s', '%s', '%s') ON DUPLICATE KEY UPDATE gcm_reg_id ='%s', id=LAST_INSERT_ID(id) " % \
(user_data['user_id'], user_data['email'], user_data['username'],
user_data['gcm_reg_id'], user_data['time_zone'], user_data['gcm_reg_id'])
print sql
cursor = conn.cursor()
cursor.execute(sql)
conn.commit()
有时用户名类似于 dinda_a'yunin 或 dinda_a"yunin ,这使得 sql 像这样
INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) VALUES(4298849, 'dinda_a'yunin@yahoo.com', 'dinda_ayunin', 'APA91bGRvg74', 'Asia/Jakarta') ON DUPLICATE KEY UPDATE gcm_reg_id ='APA91bGRvg74', id=LAST_INSERT_ID(id)
这会导致语法错误,无论如何都可以解决这个问题
最佳答案
您的代码容易受到 SQL Injection 的攻击这里...
您要么想使用prepared statement :
sql = "INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) " \
"VALUES(%s, %s, %s, %s, %s) ON DUPLICATE KEY UPDATE gcm_reg_id =%s, id=LAST_INSERT_ID(id) "
data = (user_data['user_id'], user_data['email'], user_data['username'],
user_data['gcm_reg_id'], user_data['time_zone'], user_data['gcm_reg_id'])
cursor = conn.cursor()
cursor.execute(sql, data)
data = list(conn.escape_string, data)
sql = "INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) " \
"VALUES(%s, '%s', '%s', '%s', '%s') ON DUPLICATE KEY UPDATE gcm_reg_id ='%s', id=LAST_INSERT_ID(id) "\
% data
关于python - 由于字符串中的单引号或双引号而导致 SQL 语法错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30046868/