I'm using mysqlclient (fork of MySQLdb1 for python3) in Python 3.4.3, and according to what I've read online ( Escape string Python for MySQL ), MySQLdb Python queries should be written like this for proper escaping:
query = self.conn.cursor()
query.execute('SELECT 1 FROM servers WHERE ip=%s AND port=%s AND game_id=%s' ,(ip,port,gameid))
Unfortunately, when I do that, I get the following error:
unsupported operand type(s) for %: 'bytes' and 'tuple' mysqldb
This appears to work, but this could lead to SQL injection?
query = self.conn.cursor()
query.execute("SELECT 1 FROM servers WHERE ip='%s' AND port=%s AND game_id='%s'" % (ip,port,gameid))
So, how do I safely get the query above to work using the preferred syntax method that will escape it all for me in Python 3.4.3?
I couldn't get mysqlclient (a fork of MySQLdb) https://pypi.org/project/mysqlclient/ to work with Python 3.4 with the proper SQL syntax (the syntax that escapes everything for you). I switched to mysql-connector, and the same query code now works fine. It looks like a bug in mysqlclient.
pip3 install mysql-connector-python
mysqlclient-python doesn't support Python 3.4 anymore. Use newer Python.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.