擅长:python、mysql、java
<pre><code>import subprocess
p = subprocess.Popen("mysql -e\"insert into test.syllabalize values (",text_index, ",", index, ",", "'",syllable,"')\"",shell=True)
p.wait()
</code></pre>
<p>但是您应该考虑使用一个python模块来访问mysql数据库,而不是这样做。您可以使用:</p>
<pre><code>db.execute("insert into test.syllabalize values (?,?,?)", (text_index, index, syllable))
</code></pre>
<p>参数化查询提供了对sql注入的完全保护</p>
<p>事实上子流程.Popen也提供了它们</p>
<pre><code>p = subprocess.Popen(["mysql", "-e", "\"insert into test.syllabalize values (",text_index, ",", index, ",", "'",syllable,"')\""])
</code></pre>
<p>此表单中不可能进行shell注入,但sql查询仍然易受攻击。你知道吗</p>