sqlite3.OperationalError: near "s": syntax error
sqlite3.OperationalError: near "s": syntax error
我正在制作一个不和谐的机器人。我尝试使用 SQLite3 数据库为我的机器人增加经济性。但是当我创建一个列时我得到了一个错误:
cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
sqlite3.OperationalError: near "s": syntax error
此外,这是代码:
@client.event
async def on_ready():
cursor.execute("""CREATE TABLE IF NOT EXISTS users (
name TEXT,
id INT,
cash BIGINT,
rep INT,
xp INT,
lvl INT,
server_id INT
)""")
for guild in client.guilds:
for member in guild.members:
if cursor.execute(f"SELECT id FROM users WHERE id = {member.id}").fetchone() is None:
cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
else:
pass
connection.commit()
Code injection bug! 考虑如果 member
的字符串化是 Foo's Bar
会发生什么。你最终会执行
INSERT INTO users VALUES ('Foo's Bar...
-- ^ Syntax error
我相信
cursor.execute(f"SELECT id FROM users WHERE id = {member.id}")
cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
应该是
cursor.execute("SELECT id FROM users WHERE id = ?", ( member.id, ))
cursor.execute("INSERT INTO users VALUES (?, ?, 30, 0, 0, 1, ?)",
( str(member), member.id, guild.id ) )
我正在制作一个不和谐的机器人。我尝试使用 SQLite3 数据库为我的机器人增加经济性。但是当我创建一个列时我得到了一个错误:
cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
sqlite3.OperationalError: near "s": syntax error
此外,这是代码:
@client.event
async def on_ready():
cursor.execute("""CREATE TABLE IF NOT EXISTS users (
name TEXT,
id INT,
cash BIGINT,
rep INT,
xp INT,
lvl INT,
server_id INT
)""")
for guild in client.guilds:
for member in guild.members:
if cursor.execute(f"SELECT id FROM users WHERE id = {member.id}").fetchone() is None:
cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
else:
pass
connection.commit()
Code injection bug! 考虑如果 member
的字符串化是 Foo's Bar
会发生什么。你最终会执行
INSERT INTO users VALUES ('Foo's Bar...
-- ^ Syntax error
我相信
cursor.execute(f"SELECT id FROM users WHERE id = {member.id}")
cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
应该是
cursor.execute("SELECT id FROM users WHERE id = ?", ( member.id, ))
cursor.execute("INSERT INTO users VALUES (?, ?, 30, 0, 0, 1, ?)",
( str(member), member.id, guild.id ) )