python- sqlite3.OperationalError:“ <”附近:语法错误
[英]python- sqlite3.OperationalError: near “<”: syntax error
问题描述
I am using python 3.6. 
我正在使用python 3.6。 When I try to implement this, at line: cursor=conn.execute(cmd) it raises an error as title, can any one help me? 当我尝试实现此目标时,在以下行:cursor = conn.execute(cmd),它会引发标题错误,有人可以帮助我吗? Thank you a lot. 非常感谢。
Edit: I have found the solution by just editing str(id) to str(Id) 编辑:我已经找到了解决方案,只需将str(id)编辑为str(Id)
def getProfile(id):
conn=sqlite3.connect("FaceBase.db")
cmd="SELECT * FROM People WHERE ID=" +str(id)
cursor=conn.execute(cmd)
profile=None
for row in cursor:
profile=row
conn.close()
return profile
1 个解决方案
解决方案1
0 2018-12-11 01:58:00
The error of your query is that you don't include the quotation marks inside the cmd which are needed if your argument is a string. 您的查询错误是,如果参数是字符串,则不会在cmd内包括引号。 It should have been like this: 应该是这样的:
cmd="SELECT * FROM People WHERE ID='{}'".format(str(id))
As @Aaron_ab mentioned on the comment. 正如@Aaron_ab在评论中提到的。 You should never use SQL queries like this because a malicious user can do SQL Injection. 您永远不要使用这种SQL查询,因为恶意用户可以执行SQL注入。 For example, if he puts as an ID 1' OR 1=1 /* it will return all the rows of the table. 例如,如果他将ID设置为1' OR 1=1 /* ,它将返回表的所有行。
Always, try to use prepared statements that don't allow users to forge their own SQL statement. 始终尝试使用不允许用户伪造自己的SQL语句的准备好的语句。 An example: 一个例子:
cmd="SELECT * FROM People WHERE ID=%s"
curs.execute(cmd, (str(id),))
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.