我想知道为什么我收到这个错误:
cmd = "INSERT INTO resulttest (category, value, timestamp) VALUES (" + key + ", " + str(value) + ", " + str(timestamp) + ")"
c.execute(cmd)
db.commit()
INSERT INTO resulttest (category, value, timestamp) VALUES (composed, 2, 1343186948.8)
Traceback (most recent call last):
File "C:/Behavioral Technology/Google Drive/twitterthingv5test.py", line 94, in <module>
moodParser()
File "C:/Behavioral Technology/Google Drive/twitterthingv5test.py", line 92, in moodParser
query()
File "C:/Behavioral Technology/Google Drive/twitterthingv5test.py", line 37, in query
main(columns)
File "C:/Behavioral Technology/Google Drive/twitterthingv5test.py", line 81, in main
c.execute(cmd)
File "C:\Python27\lib\site-packages\MySQLdb\cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "C:\Python27\lib\site-packages\MySQLdb\connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
我认为这与我如何将我的值传递给SQL命令有关。
答案 0 :(得分:4)
您创建查询的代码不会尝试引用字符串值:
cmd = "INSERT INTO resulttest (category, value, timestamp) VALUES (" + key + ", " + str(value) + ", " + str(timestamp) + ")"
查看您打印的SQL语句:
INSERT INTO resulttest (category, value, timestamp) VALUES (composed, 2, 1343186948.8)
不应引用“类别”吗?
您不应该首先使用字符串操作编写SQL语句。这就是SQL注入漏洞的发生方式。相反,您应该使用占位符并让MySQL库处理它们:
c.execute(
"INSERT INTO resulttest (category, value, timestamp) VALUES (?, ?, ?)",
(key, value, timestamp)
)
答案 1 :(得分:0)
如果Ned Batchelder的建议不起作用,可以选择以下方法:
sql = "INSERT into resulttest (category, value, timestamp) VALUES (%s, %s, %s)"
c.execute(sql % (key, value, timestamp))
我遇到了一个问题,我的SQL命令没有被执行,并且遵循这种语法使它工作。
虽然你必须小心,因为使用%而不是,开启了SQL注入的可能性,但这是唯一对我有用的语法。可能是Python-MySQL版本和兼容性问题。
更好的想法是安装兼容版本并遵循正确的语法。