from tkinter import *
lg = Tk()
lg.state('zoomed')
def view():
cus = accno.get()
dis = [cus]
print(dis)
import pypyodbc
con=pypyodbc.win_connect_mdb("D:\\customer_details.mdb")
cur = con.cursor()
q = "select * from cus_details where cus_id = '" + cus + "' "
cur.execute(q,dis)
result=cur.fetchall()
Label(lg,text="",font = "Calibri 12 bold",width=2).grid(row=1,column=1)
Label(lg,text="",font = "Calibri 12",width=2).grid(row=2,column=1)
Label(lg,text="",font = "Calibri 12",width=2).grid(row=3,column=1)
Label(lg,text="",font = "Calibri 12",width=2).grid(row=4,column=1)
Label(lg,text="",font = "Calibri 12",width=2).grid(row=5,column=1)
Label(lg,text="",font = "Calibri 12",width=2).grid(row=6,column=1)
Label(lg,text="",font = "Calibri 12",width=2).grid(row=7,column=1)
Label(lg,text="",font = "Calibri 12",width=10).grid(row=8,column=0)
Label(lg,text="",font = "Calibri 12",width=10).grid(row=9,column=1)
Label(lg,text="",font = "Calibri 12",width=10).grid(row=9,column=2)
Label(lg,text="Customer ID",font = "Calibri 12",width=5).grid(row=9,column=3)
Label(lg,text="First Name",font = "Calibri 12",width=20).grid(row=9,column=4)
Label(lg,text="Last Name",font = "Calibri 12",width=15).grid(row=9,column=5)
Label(lg,text="Address",font = "Calibri 12",width=10).grid(row=9,column=6)
Label(lg,text="ID Proof",font = "Calibri 12",width=15).grid(row=9,column=7)
Label(lg,text="A/c No",font = "Calibri 12",width=15).grid(row=9,column=8)
Label(lg,text="A/c Type",font = "Calibri 12",width=15).grid(row=9,column=9)
Label(lg,text="Initial Deposit",font = "Calibri ` ` `12",width=15).grid(row=9,column=10)
r=10
for row in result:
Label(lg,text="",font = "Calibri 12",width=10).grid(row=r,column=0)
Label(lg,text="",font = "Calibri 12",width=10).grid(row=r,column=2)
Label(lg,text=row[0],font = "Calibri 12",width=5).grid(row=r,column=3)
Label(lg,text=row[1],font = "Calibri 12",width=10).grid(row=r,column=4)
Label(lg,text=row[2],font = "Calibri 12",width=20).grid(row=r,column=5)
Label(lg,text=row[3],font = "Calibri 12",width=10).grid(row=r,column=6)
Label(lg,text=row[4],font = "Calibri 12",width=10).grid(row=r,column=7)
Label(lg,text=row[5],font = "Calibri 12",width=10).grid(row=r,column=8)
Label(lg,text=row[6],font = "Calibri 12",width=10).grid(row=r,column=9)
Label(lg,text=row[7],font = "Calibri 12",width=10).grid(row=r,column=10)
r=r+1
con.close()
tit = Label(lg,text="BANK MANAGEMENT SYSTEM",font = "Batang 29 `` bold",fg = "blue")
` ` tit1 = Label(lg,text="Account Detail",font = "Calibri 15 bold")
`` la1 = Label(lg,text="Account No",font = "Calibri 12")
`` accno = Entry(lg,width=35)
`` but = Button(lg,text="Delete",bg = "green",width=11,height=1,fg =
`` "white",font = "Calibri 10 bold")
`` but1 = Button(lg,text="Cancel",bg = "green",width=11,height=1,fg =
`` "white",font = "Calibri 10 bold")
`` but2 = Button(lg,text="Verify",bg = "green",width=11,height=1,fg =
`` "white",font = "Calibri 10 bold",command = view)
`` tit.place(x=600,y=10)
tit1.place(x=600,y=70)
la1.place(x=400,y=150)
accno.place(x=650,y=150)
but2.place(x=870,y=145)
lg.mainloop()
我收到以下错误:
['1'] Exception in Tkinter callback Traceback (most recent call last): File "C:\Python34\lib\tkinter\__init__.py", line 1533, in __call__ return self.func(*args) File "C:\Python34\pypyodbc-1.3.3\customer_details.py", line 15, in view cur.execute(q,dis) File "C:\Python34\pypyodbc-1.3.3\pypyodbc.py", line 1470, in execute self._BindParams(param_types) File "C:\Python34\pypyodbc-1.3.3\pypyodbc.py", line 1263, in _BindParams raise ProgrammingError('HY000',error_desc) pypyodbc.ProgrammingError: ('HY000', 'The SQL contains 0 parameter markers, `` but 1 parameters were supplied')
我在网格中提取和显示数据时遇到了问题。
答案 0 :(得分:2)
SQL注入是一个严重的问题,最终可能会破坏您的数据库。要记住的经典之作是Bobby Tables。因此,正确构建查询以防止这种情况非常重要;这需要一些机制来“转义”输入,以便它不能被解释为命令本身。
q = "select * from cus_details where cus_id = '" + cus + "' "
此查询不会转义任何内容,因为您只需将cus的值抛出到字符串中。 cur.execute(q,dis)然后失败,因为没有标记可以解释dis的值应该去哪里。
执行此操作的方法是使用占位符和绑定。在SQLite3中,这些是?,在其他版本的SQL中,它们是%s。我不确定这里有哪些。编辑:从Zev Spitz的评论来看,this particular case中的占位符似乎是?(参见参数部分)。
因此,您的查询将如下所示:
q = "SELECT * FROM cus_details WHERE cus_id = ?"
cur.execute(q, (cus,))
# Or
q = "SELECT * FROM cus_details WHERE cus_id = %s"
cur.execute(q, (cus,))