How to Safely Insert Variables into SQL Queries Using Python?

Insert the variable in Python to insert variables into SQL query

When processing database queries in Python, variables are usually required in the query statement. However, it must be operated in a way to prevent grammar errors or security vulnerabilities.

Consider the following Python code:

<code class="language-python">cursor.execute("INSERT INTO table VALUES var1, var2, var3")</code>

In this code,

is an integer, var1 and var2 are string. However, when Python tries to include the name var3, var1, and var2 as part of the query text itself, there will be problems, causing the query to be invalid. var3

In order to solve this problem, you can use the replacement mechanism provided by the database API. The following is the method of rewriting the code to use the occupied symbol:

<code class="language-python">cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))</code>

In this improved code:

It represents a placeholder to fill in the recharge.
• %s is a tuple containing an insertion value.
• (var1, var2, var3) By transmitting the value as the meta -group, the database API will process the necessary variable transfers and references to ensure compatibility with the database and prevent potential security risks.

Please note that for a single parameter, you need to have a tuning group with tail comma:

In addition, avoid using the string format format (%) to insert variables, because it may cause security vulnerabilities and do not support it.

The above is the detailed content of How to Safely Insert Variables into SQL Queries Using Python?. For more information, please follow other related articles on the PHP Chinese website!