为什么我的带变量的function不更新数据?
[英]Why doesn't my function with variables update data?
问题描述
def overwriteFlat(top, curTable, rawEntrylist, columns):
rawEntrylist = rawEntrylist
entryList = list()
for value in rawEntrylist:
entryList.append(value.get())
conn = sqlite3.connect('data.db')
c = conn.cursor()
for i in range(len(columns)):
if entryList[i] != '':
c.execute("""UPDATE """+curTable+""" SET """+columns[i]+""" = :"""+columns[i]+""" WHERE """+columns[0]+""" = """ + str(entryList[0]), {columns[i]: entryList[i]})
print(curTable,columns[i],entryList[i])
conn.commit()
c.close()
conn.close()
closeWin(top)
Output: 
Output:
Flat ID 23
Flat Street Test
Flat Street_Number 100
I put in "Test" and "100" so that works.我输入了“测试”和“100”,这样就可以了。 I provide a window for input, the input gets put into here and everything provided gets overwritten in provided ID.我提供了一个 window 用于输入,输入被放入此处并且提供的所有内容都被提供的 ID 覆盖。 Because of print() I see it goes into the right table, it also selects the right column and doesn't throw any exception.因为print()我看到它进入了正确的表,它也选择了正确的列并且没有抛出任何异常。 But it doesn't update database.但它不更新数据库。
- Database not locked.数据库未锁定。
- Variables all valid and work.变量全部有效且有效。
- No exception is thrown.不会抛出异常。
- Vulnerable to injection, soon as it works I'll change it.易受注入影响,一旦它起作用我会改变它。
1 个解决方案
解决方案1
0 2022-11-23 20:16:16
Thanks to @JohnGordon i found the solution感谢@JohnGordon 我找到了解决方案
But just so if someone wants to use Variables in Sqlite i will explain how as this is hardly explained anywhere on the Inte.net (at least at my Beginner-Programmer-Level)但是,如果有人想在 Sqlite 中使用变量,我将解释这是如何解释的,因为在 Inte.net 上的任何地方都很难解释(至少在我的初级程序员级别)
Usually Sql commands work like this and are pretty static:通常 Sql 命令像这样工作并且很漂亮 static:
"UPDATE Your_Table SET Your_Column = :Your_Column WHERE IndexColumn = Your_Index), {Your_Column: Your_Value}"
But by using +Variable+ you can use Variables in there so its the same thing but with whatever Variable you want:但是通过使用 +Variable+ 你可以在那里使用变量所以它是一样的但是你想要的任何变量:
"UPDATE "+curTable+" SET "+columns[i]+" = :"+columns[i]+" WHERE "+columns[i]+" = " + str(entryList[0]), {columns[i]: entryList[i]}
You can now have the Variables "curTable", "columns", "entryList" set to whatever you want and dont need a static line for everything The same works with INSERT and the other things too您现在可以将变量“curTable”、“columns”、“entryList”设置为您想要的任何内容,并且不需要 static 行来处理所有内容同样适用于 INSERT 和其他内容
Edit: (its now 3 hours later, 1 AM and i got the safer way)编辑:(现在是 3 小时后,凌晨 1 点,我得到了更安全的方式)
NOW THAT YOU GOT THAT READ THIS you will be vulnerable to SQL Injection, and you need to still change that code to this:现在你已经阅读了这篇文章,你将容易受到 SQL 注入的攻击,你仍然需要将该代码更改为:
query = " UPDATE "+curTable+" SET "+columns[i]+" = ? WHERE "+columns[0]+" = ?"
c.execute(query, (entryList[i], entryList[0], ))
this makes it safer, but as i am not a pro yet maybe someone can confirm这使它更安全,但由于我不是专业人士,所以也许有人可以确认
Edit: Removed triple-quotes as they are only needed in multiple-sentence sql stuff thanks for the hint @Tim Roberts编辑:删除了三引号,因为它们只在多句 sql 内容中需要,感谢 @Tim Roberts 的提示
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.