擅长:python、mysql、java
<p>您需要将字符串格式化<em>和</em>参数替换结合起来,以创建可以安全执行的查询</p>
<pre class="lang-py prettyprint-override"><code># Sqlite uses question marks for value placeholders
# and double-quotes for identifiers. See
# https://www.sqlite.org/lang_keywords.html
sql = 'SELECT "%s" FROM balances WHERE id = ?'
# Use string formatting (%, .format, f-string) to add the column name(s)
sql = sql % column_name
# Use parameter substitution to add the value(s) to ensure correct quoting of values
result = cursor.execute(sql, (1,))
</code></pre>
<p>值占位符有一种替代形式</p>
<pre class="lang-py prettyprint-override"><code>sql = 'SELECT "%s" FROM balances WHERE id = :id'
sql = sql % column_name
result = cursor.execute(sql, {'id': 1})
</code></pre>