擅长:python、mysql、java
<p><em>不要使用字符串格式在查询中插入变量。</em>这很危险(您很容易受到<a href="https://en.wikipedia.org/wiki/SQL_injection" rel="nofollow noreferrer">SQL injection attacks</a>)和错误提示(如您所见)。在</p>
<p>相反,<em>参数化查询:</p>
<pre><code>connection.execute("""
INSERT INTO
{tn}
VALUES
(NULL, :col1, :col2)""".format(tn=tableName),
{"col1": text1, "col2": text2})
</code></pre>
<p>请注意,我们<a href="https://stackoverflow.com/questions/3247183/variable-table-name-in-sqlite">cannot parameterize table or column names</a>-确保您验证并正确转义<code>tableName</code>,或者信任您的来源。在</p>