stmt = "UPDATE requests SET (hostname,domainname,naptrsrvptrinitial,cnameptrfinal,publiclist,privatelist) = ('%s','%s','%s','%s','{%s}','{%s}') WHERE requestid = %d"%(str(myjson['hostName']),str(myjson['domainName']),str(myjson['customRecord']),str(myjson['canName']),publicArray,privateArray,int(myjson['requestID']))
curs.execute(stmt)
我有上面的查询,这是sql注入,下面是查询缓解sql注入。
curs.execute("UPDATE requests SET (hostname,domainname,naptrsrvptrinitial,cnameptrfinal,publiclist,privatelist) = (%s,%s,%s,%s,{%s},{%s}) WHERE requestid = %s",(str(myjson['hostName']),str(myjson['domainName']),str(myjson['customRecord']),str(myjson['canName']),publicArray,privateArray,int(myjson['requestID'])))
如果我在上面的查询中传递数组{%s}它会抛出一个错误???我该如何解决??