SQL注入:
import pymysql
# 创建数据库连接 返回一个对象
conn = pymysql.connect(
host="localhost", # MySQL服务器地址 本地地址 127.0.0.1
user="root", # 用户名 (账号)
password="155480", # 密码
database="spt2503", # 数据库名称
port=3306
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
name = input("请输入账号")
pwd = input("请输入密码")
sql = ("SELECT * from t_user u LEFT JOIN t_user_role ur ON(ur.uid=u.id)LEFT JOIN "
"t_role r on (ur.rid=r.rid)LEFT JOIN t_role_menu rm ON (rm.rid=r.rid)LEFT "
" JOIN t_menu m ON (m.id=rm.mid) where u.name = '%s' and u.pwd = '%s'")%(name,pwd)
print(sql)
resultCount = cursor.execute(sql)
res = cursor.fetchall()
print(res)
print(resultCount)
if resultCount:
print("登录成功")
else:
print("用户名或密码错误")
cursor.close()
conn.close()
# SQL注入会生成新的SQL语句('%s')
防止SQL注入字典:
import pymysql
# 创建数据库连接 返回一个对象
conn = pymysql.connect(
host="localhost", # MySQL服务器地址 本地地址 127.0.0.1
user="root", # 用户名 (账号)
password="155480", # 密码
database="spt2503", # 数据库名称
port=3306
)
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
name = input("请输入账号")
pwd = input("请输入密码")
sql = ("SELECT * from t_user u LEFT JOIN t_user_role ur ON(ur.uid=u.id)LEFT JOIN "
"t_role r on (ur.rid=r.rid)LEFT JOIN t_role_menu rm ON (rm.rid=r.rid)LEFT "
" JOIN t_menu m ON (m.id=rm.mid) where u.name = %s and u.pwd = %s")
print(sql)
resultCount = cursor.execute(sql, (name, pwd))
res = cursor.fetchall()
print(res)
print(resultCount)
if resultCount:
print("登录成功")
else:
print("用户名或密码错误")
cursor.close()
conn.close()
# SQL注入会生成新的SQL语句('%s')
