堆栈内存溢出
  简体   繁体   English

在Python和sqlite中转义字符

[英]Escaping chars in Python and sqlite

 原文  2010-07-10 16:41:38       python/ sqlite

问题描述

I have a python script that reads raw movie text files into an sqlite database. 我有一个python脚本,将原始电影文本文件读入sqlite数据库。

I use re.escape(title) to add escape chars into the strings to make them db safe before executing the inserts. 我使用re.escape(title)将转义字符添加到字符串中,以使它们在执行插入之前安全。

Why does this not work: 为什么这不起作用: 

In [16]: c.execute("UPDATE movies SET rating = '8.7' WHERE name='\'Allo\ \'Allo\!\"\ \(1982\)'")
--------------------------------------------------------------------------- OperationalError                       Traceback (most recent call last)

/home/rajat/Dropbox/amdb/<ipython console> in <module>()

OperationalError: near "Allo": syntax error

Yet this works (removed \\' in two places) : 然而,这有效(在两个地方删除): 

In [17]: c.execute("UPDATE movies SET rating = '8.7' WHERE name='Allo\ Allo\!\"\ \(1982\)'") Out[17]: <sqlite3.Cursor object at 0x9666e90>

I can't figure it out. 我无法弄清楚。 I also can't ditch those leading quotes because they're actually part of the movie title. 我也不能放弃这些主流报价,因为它们实际上是电影片头的一部分。 Thank you. 谢谢。

4 个解决方案

解决方案1
 103 已采纳  2010-07-10 16:48:42

You're doing it wrong. 你这样做是错的。 Literally. 从字面上看。 You should be using parameters, like this: 您应该使用参数,如下所示: 

c.execute("UPDATE movies SET rating = ? WHERE name = ?", (8.7, "'Allo 'Allo! (1982)"))

Like that, you won't need to do any quoting at all and (if those values are coming from anyone untrusted) you'll be 100% safe (here) from SQL injection attacks too. 就像那样,你根本不需要做任何引用(如果那些值来自任何不受信任的人)你也将100%安全(这里)来自SQL注入攻击。

解决方案2
 11  2010-07-10 17:08:09

I use re.escape(title) to add escape chars into the strings to make them db safe 我使用re.escape(title)将转义字符添加到字符串中以使它们安全

Note that re.escape makes a string re -safe -- nothing to do with making it db safe. 请注意, re.escape使字符串重新安全 - 与使数据库安全无关。 Rather, as @Donal says, what you need is the parameter substitution concept of the Python DB API -- that makes things "db safe" as you need. 相反,正如@Donal所说,你需要的是Python DB API的参数替换概念 - 可以根据需要使“数据库安全”。

解决方案3
 7  2010-07-13 05:47:14

SQLite doesn't support backslash escape sequences. SQLite不支持反斜杠转义序列。 Apostrophes in string literals are indicated by doubling them: '''Allo ''Allo! (1982)' 字符串文字中的撇号通过加倍来表示: '''Allo ''Allo! (1982)' '''Allo ''Allo! (1982)' . '''Allo ''Allo! (1982)'

But, like Donal said, you should be using parameters. 但是,就像Donal所说,你应该使用参数。

解决方案4
 -4  2016-08-10 08:23:57

I've one simple tip you could use to handle this problem: When your SQL statement string has single quote:', then you could use double quote to enclose your statement string. 我有一个简单的提示可以用来处理这个问题:当你的SQL语句字符串有单引号:'时,你可以使用双引号括起你的语句字符串。 And when your SQL statement string has double quotes:", then you could use single quote:" to enclose your statement string. 当你的SQL语句字符串有双引号:“,那么你可以使用单引号:”来包含你的语句字符串。 Eg 例如 

sqlString="UPDATE movies SET rating = '8.7' WHERE name='Allo Allo !' (1982 )"
c.execute(sqlString)

Or, 要么, 

sqlString='UPDATE movies SET rating = "8.7" WHERE name="Allo Allo !" (1982 )'
c.execute(sqlString)

This solution works for me in Python environment. 这个解决方案适用于Python环境。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Python 2.6正则表达式,在Windows中转义字符 - Python 2.6 regex, escaping chars in windows 在python正则表达式中转义数字和特殊字符 - Escaping numbers and special chars in python regex Python与Perl正则表达式中的反斜杠和转义字符 - Backslashes and escaping chars in Python vs Perl regexes 使用Python插入sqlite时转义反斜杠 - Escaping backslash while inserting in sqlite using Python Python / SQLite3在WHERE-Clause中转义 - Python/SQLite3 escaping in WHERE-Clause f 字符串中的 Escaping 字符 - Escaping chars in f-string python IO:将单词从文本文件拆分为python数组,避免转义char,换行符,十六进制值 - python IO: Splitting words from textfile into python array, avoiding escaping chars, newlines, hexvalues 转义动态sqlite查询? - Escaping dynamic sqlite query? 逃避sqlite结果 - escaping sqlite results 在Python中转义两个列表 - Escaping two lists in Python
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM