首先,在所有事情之前,我意识到这个问题已被事先提出过。我已经找了几个小时试图解决我的问题,但我还没有能够正确实施解决方案,而且我仍然遇到了错误。
我试图使用变量字符串INSERT到一个表(希望表名是动态的,但我相信这也是不允许的?)。从我进行的研究来看,这似乎是不允许的/良好实践,因为它使代码对SQL注入开放。
我试过用%s替换%s?但它仍然会返回相同的错误"?"而不是"%?"
这是我正在使用的代码。其中大部分归功于詹姆斯·米尔斯,我只是试图使用他从CSV中为sqlite3 INSERT语句做出的陈述,如果这是有道理的。
"""csv2sql
Tool to convert CSV data files into SQL statements that
can be used to populate SQL tables. Each line of text in
the file is read, parsed and converted to SQL and output
to stdout (which can be piped).
A table to populate is given by the -t/--table option or
by the basename of the input file (if not standard input).
Fields are either given by the -f/--fields option (comma
separated) or determinted from the first row of data.
"""
__version__ = "0.4"
__author__ = "James Mills"
__date__ = "3rd February 2011"
import os
import csv
import sys
import optparse
import sqlite3
USAGE = "%prog [options] <file>"
VERSION = "%prog v" + __version__
def parse_options():
parser = optparse.OptionParser(usage=USAGE, version=VERSION)
parser.add_option("-t", "--table",
action="store", type="string",
default=None, dest="table",
help="Specify table name (defaults to filename)")
parser.add_option("-f", "--fields",
action="store", type="string",
default=None, dest="fields",
help="Specify a list of fields (comma-separated)")
parser.add_option("-s", "--skip",
action="append", type="int",
default=[], dest="skip",
help="Specify records to skip (multiple allowed)")
opts, args = parser.parse_args()
if len(args) < 1:
parser.print_help()
raise SystemExit, 1
return opts, args
def generate_rows(f):
sniffer = csv.Sniffer()
dialect = sniffer.sniff(f.readline())
f.seek(0)
reader = csv.reader(f, dialect)
for line in reader:
yield line
def main():
opts, args = parse_options()
filename = args[0]
if filename == "-":
if opts.table is None:
print "ERROR: No table specified and stdin used."
raise SystemExit, 1
fd = sys.stdin
table = opts.table
else:
fd = open(filename, "rU")
if opts.table is None:
table = os.path.splitext(filename)[0]
else:
table = opts.table
rows = generate_rows(fd)
if opts.fields:
fields = ", ".join([x.strip() for x in opts.fields.split(",")])
else:
fields = ", ".join(rows.next())
for i, row in enumerate(rows):
if i in opts.skip:
continue
values = ", ".join(["\"%s\"" % x for x in row])
print "INSERT INTO %s (%s) VALUES (%s);" % (table, fields, values)
con = sqlite3.connect("school")
cur = con.cursor()
cur.executemany("INSERT INTO %s (%s) VALUES (%s);", (table, fields, values))
con.commit()
con.close()
if __name__ == "__main__":
main()
以下是输出示例:
> INSERT INTO data (School Name, Summer 15, Summer 16, Summer 17) VALUES ("School One", "126", "235", "453");
Traceback (most recent call last):
File "sniffer.py", line 103, in <module>
main()
File "sniffer.py", line 98, in main
cur.executemany("INSERT INTO %s (%s) VALUES (%s);", (table, fields, values))
sqlite3.OperationalError: near "%": syntax error
嗅探器的东西是获取列的名称及其值,我尝试将其放入SQL语句中。
我尝试了很多东西,但我还没有能够解决问题!
请不要打击我!我对这一切都很陌生,只需要一些帮助!
感谢任何帮助!
答案 0 :(得分:1)
请记住SQL-Injection Attack的可能性,并确保清理您的输入,您可以像这样准备查询:
?请注意,对于SQLite中的参数替换,您需要使用cur.executemany(qry, (rows,))
s。
import time
def timer():
now = time.localtime(time.time())
return now[5]
run = raw_input("Start? > ")
while run == "start":
minutes = 0
current_sec = timer()
#print current_sec
if current_sec == 59:
mins = minutes + 1
print ">>>>>>>>>>>>>>>>>>>>>", mins