# pip3 install pymysql
pycharm project Interpreter: 添加包 PyMySQL
import sys import pymysql print(sys.path) def login_db(user, pwd): conn = pymysql.connect( host=‘localhost‘, port=3306, user=‘root‘, passwd=‘!QAZxsw2‘, db=‘db1‘, charset=‘utf8‘ ) cur = conn.cursor() sql = "select username,pwd from user where username=‘%s‘ and pwd = ‘%s‘" % (user, pwd) rows = cur.execute(sql) cur.close() conn.close() if rows: print(‘success‘) else: print(‘failed‘) if __name__ == ‘__main__‘: user = input(‘user>>‘).strip() passwd = input(‘password>>‘).strip() login_db(user, passwd)
注意:这种方法有sql注入的风险。
运行结果: user>>zdaf" or 1=1 -- adfa password>>asf select username,pwd from user where username="zdaf" or 1=1 -- adfa" and pwd = "asf" success
防范sql注入的方式:
import sys import pymysql print(sys.path) def login_db(user, pwd): conn = pymysql.connect( host=‘localhost‘, port=3306, user=‘root‘, passwd=‘!QAZxsw2‘, db=‘db1‘, charset=‘utf8‘ ) cur = conn.cursor() # sql = ‘select username,pwd from user where username="%s" and pwd = "%s" ‘ % (user, pwd) # rows = cur.execute(sql) sql = ‘select username,pwd from user where username=%s and pwd = %s‘ rows = cur.execute(sql, (user, pwd)) print(sql) cur.close() conn.close() if rows: print(‘success‘) else: print(‘failed‘) if __name__ == ‘__main__‘: user = input(‘user>>‘).strip() passwd = input(‘password>>‘).strip() login_db(user, passwd)
user>>lbx password>>lbx select username,pwd from user where username=%s and pwd = %s success user>>zdaf" or 1=1 -- adfa password>> select username,pwd from user where username=%s and pwd = %s failed
原文:https://www.cnblogs.com/beallaliu/p/9205001.html
