Python 字符串拼接 sql ,造成 sql 注入例子

简单的 userinfo 表

字符串拼接 sql

import pymysql

# 测试环境的数据库连接
conn = pymysql.connect(host=\'192.168.0.214\', port=3306, user=\'root\', passwd=\'123456\', db=\'tmpdb\')
cursor = conn.cursor()

# 字符串拼接sql，用户名和密码都是乱写
sql = \'select username, password from userinfo where username=\"%s\" and password=\"%s\"\'
sql = sql %(\'yy\" or 1=1 -- \', \'11111\')
cursor.execute(sql)
r = cursor.fetchone()
print(r)

cursor.close()
conn.close()

# 运行结果，正确取到数值
(\'klvchen\', \'123456\')

正常的写法

# __author__:\"klvchen\"
# date: 2018/12/12
import pymysql

conn = pymysql.connect(host=\'192.168.0.214\', port=3306, user=\'root\', passwd=\'123456\', db=\'tmpdb\')
cursor = conn.cursor()

cursor.execute(\'select username, password from userinfo where username=\"%s\" and password=\"%s\"\', (\'yy\" or 1=1 -- \', \'11111\'))
r = cursor.fetchone()
print(r)

cursor.close()
conn.close()

# 运行结果，没有取到数值
None