How to operate mysql in python to prevent your own program from being maliciously injected later (to put it bluntly, I am asking about some key points of anti-injection in python)

Question

Is it necessary to refer to previous anti-injection documents in languages ​​​​such as php or java? It’s really hard to find anti-injection documentation related to python

Answer 1

1.Pass

cursor.execute("select * from table where name=%s", "name")

Anti-injection.

2.If passed

sql = "select * from table where name=%s" % MySQLdb.escape_string(name)

This format requires MySQLdb.escape_string(name) to prevent injection.

It is recommended to use the first one.

Answer 2

sql = "INSERT INTO `users` (`email`, `password`) VALUES (%s, %s)"
cursor.execute(sql, ('webmaster@python.org', 'very-secret'))

One thing I know is not to use sql.format("x1", "x2"), but to pass the parameters to cursor.execute for processing