我正在尝试编写一个函数,它包含3个值:要编辑的列、要插入的值和行的id(在本例中是散列)。但是我得到了一个标准的“SQL语法有错误”
def _alter_material_prop(self, hash, key, val):
sql = "UPDATE `materials` SET "+key+" = %s WHERE `materials`.`hashkey` = %s"
self.cursor.execute(sql, (val, hash))
self.db.commit()
这是我的sql可注入代码。你知道吗
我想这样做:
def _alter_material_prop(self, hash, key, val):
sql = "UPDATE `materials` SET %s = %s WHERE `materials`.`hashkey` = %s"
self.cursor.execute(sql, (key, val, hash))
self.db.commit()
但这会产生以下错误消息:
Traceback (most recent call last):
File "/Users/Nate/PycharmProjects/mofdb-insert-mofs/mofdb_interface_tests.py", line 478, in test_alter_mat_prop
mofdb._alter_material_prop(hashkey, "PLD", 1337.0)
File "/Users/Nate/PycharmProjects/mofdb-insert-mofs/mofdb_interface.py", line 227, in _alter_material_prop
self.cursor.execute(sql, (key, val, hash))
File "/Users/Nate/PycharmProjects/mofdb-insert-mofs/venv/lib/python3.5/site-packages/mysql/connector/cursor.py", line 559, in execute
self._handle_result(self._connection.cmd_query(stmt))
File "/Users/Nate/PycharmProjects/mofdb-insert-mofs/venv/lib/python3.5/site-packages/mysql/connector/connection.py", line 494, in cmd_query
result = self._handle_result(self._send_cmd(ServerCmd.QUERY, query))
File "/Users/Nate/PycharmProjects/mofdb-insert-mofs/venv/lib/python3.5/site-packages/mysql/connector/connection.py", line 396, in _handle_result
raise errors.get_exception(packet)
mysql.connector.errors.ProgrammingError: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''PLD' = 1337.0 WHERE `materials`.`hashkey` = '43ba34f38db8ec0f20cb058853275535ea' at line 1
目前没有回答
相关问题 更多 >
编程相关推荐