Python sqlite3 查询生成

Question

Having following:

array = ['', 'kujawski=', "'", "select * from symbols where name = '='", ';drop table;', 'fakeone=']

I can easly generate following query:

//(query, array)
('select count(*) from symbols where  name in (?,?,?,?,?,?)', ('', 'kujawski=', "'", "select * from symbols where name = '='", ';drop table;', 'fakeone='))

to generate query which I can put into cursor.execute() function and I'm currently doing it by following code:

"select count(*) from table where name in (%s)" % ",".join("?"*len(array)),array

And cursor.execute() function return desired output. However problem is when I would like to filter query with AND, for example:

select count(*) from table where name in (...) and column5 in (...)

I have no idea how to generate query in python which cursor.execute() function will accept it, please help - thank you!

Answer 1

I'm not sure what you're trying to accomplish with your second select statement with the joins. The first line is what you should pass to cur.execute() . For example:

`cur.execute(
    'select count(*) from symbols where  name in (?,?,?,?,?,?)',
    ('', 'kujawski=', "'", "select * from symbols where name = '='", ';drop table symbols;', 'fakeone=')
)`

This will also prevent SQL injection attacks, which is what you yourself are trying to take advantage of.

If you want to execute drop statements and the like, then you should be using cur.execute() to handle that on its own, not as an embedded command within another command like you're trying.

In fact, I have no idea what you're trying to accomplish AT ALL with this. This is your statement (roughly) after sqlite gets done with it.

select
    count(*)
from
    symbols
where
    name in (
        '',
        'kujawski=',
        "'",
        "select * from symbols where name = '='",
        ';drop table symbols;',
        'fakeone=')