即使如此如何解决这个问题:
cursor.execute("""SELECT * FROM Users AS t1
INNER JOIN Users_has_Users AS t ON t.Users_id = t1.id
INNER JOIN Users AS t2 ON t.Users_id1 = t2.id
WHERE t1.email = %s AND t1.id != t2.id AND t2.id >= %s
ORDER BY t2.name {}
LIMIT 10""".format(order), (email, since_id, limit))
错误:
not all arguments converted during string formatting
最佳答案
您不能使用 SQL 参数来插入数据以外的任何内容;数据;您不能将其用于任何 SQL 关键字,例如 ASC
,也不能将其用于 limit 参数。这就是 SQL 参数的点;以避免它们的值被解释为 SQL。
使用字符串格式来插入排序方向和查询限制:
cursor.execute("""SELECT * FROM Users AS t1
INNER JOIN Users_has_Users AS t ON t.Users_id = t1.id
INNER JOIN Users AS t2 ON t.Users_id1 = t2.id
WHERE t1.email = %s AND t1.id != t2.id AND t2.id >= %s
ORDER BY t2.name {}
LIMIT {}""".format(order, limit), (email, since_id))
这确实假设您可以完全控制order
和limit
的内容;永远不要从用户提供的数据中设置它,因为这样的字符串格式会让您面临 SQL 注入(inject)攻击。
关于python - 当我尝试执行sql查询时出现错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22582121/