Python MySQLdb 语法错误,看似正确的语法
Python MySQLdb Syntax Error with seemingly correct syntax
我正在尝试使用以下代码对 MySQL table 中名为 N_NUMBER 的列进行简单检索:
from os.path import join, dirname
from dotenv import load_dotenv
import MySQLdb
TABLE_NAME = 'testmaster'
dotenv_path = join(dirname(__file__), '.env')
load_dotenv(dotenv_path) # loads the .env
dbName = os.environ.get('DB_NAME')
mydb = MySQLdb.connect(host=os.environ.get('DB_HOST'), user=os.environ.get('DB_USER'), passwd=os.environ.get('DB_PASS'), db=dbName)
cursor = mydb.cursor()
cursor.execute("SELECT N_NUMBER FROM %s", (TABLE_NAME,))
我每次都继续得到相同的 Traceback,即:
Traceback (most recent call last):
File "updateMaster.py", line 101, in <module>
cursor.execute("SELECT 'N_NUMBER' FROM %s", (TABLE_NAME,))
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
self.errorhandler(self, exc, value)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''testmaster'' at line 1")
我也尝试了 .execute() 方法文档推荐的 pyformat 样式语法,但仍然收到相同的错误。 pyformat 样式如下:
cursor.execute("SELECT N_NUMBER FROM %(table_name)s", {'table_name':TABLE_NAME})
当我尝试直接将 table 名称插入命令字符串时,该命令有效,让我怀疑它与 %s 有关。怎么了?
您不能参数化 table 也不能列名。在意识到 SQL Injection 攻击的可能性的同时,改为:
cursor.execute("SELECT N_NUMBER FROM {}".format(TABLE_NAME))
我正在尝试使用以下代码对 MySQL table 中名为 N_NUMBER 的列进行简单检索:
from os.path import join, dirname
from dotenv import load_dotenv
import MySQLdb
TABLE_NAME = 'testmaster'
dotenv_path = join(dirname(__file__), '.env')
load_dotenv(dotenv_path) # loads the .env
dbName = os.environ.get('DB_NAME')
mydb = MySQLdb.connect(host=os.environ.get('DB_HOST'), user=os.environ.get('DB_USER'), passwd=os.environ.get('DB_PASS'), db=dbName)
cursor = mydb.cursor()
cursor.execute("SELECT N_NUMBER FROM %s", (TABLE_NAME,))
我每次都继续得到相同的 Traceback,即:
Traceback (most recent call last):
File "updateMaster.py", line 101, in <module>
cursor.execute("SELECT 'N_NUMBER' FROM %s", (TABLE_NAME,))
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
self.errorhandler(self, exc, value)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''testmaster'' at line 1")
我也尝试了 .execute() 方法文档推荐的 pyformat 样式语法,但仍然收到相同的错误。 pyformat 样式如下:
cursor.execute("SELECT N_NUMBER FROM %(table_name)s", {'table_name':TABLE_NAME})
当我尝试直接将 table 名称插入命令字符串时,该命令有效,让我怀疑它与 %s 有关。怎么了?
您不能参数化 table 也不能列名。在意识到 SQL Injection 攻击的可能性的同时,改为:
cursor.execute("SELECT N_NUMBER FROM {}".format(TABLE_NAME))