在python3中将数据插入mysql时出错的原因是什么？

Question

以下示例代码执行抓取到特定 url 然后将数据插入 mysql 但插入代码中出现以下错误，我不知道此错误的原因是什么：

    data  = (URL,title,image,writer,article_date,article,keywords)
    save_data(data)
    
def save_data(data):
    cur.execute("SELECT * FROM shereen.articles WHERE URL='"+data[0]+"'")
    res = cur.fetchall()
    if len(res)==0:
        cur.execute("INSERT INTO shereen.articles VALUES"+str(data))
        conn.commit()
        print(data[0] +"   -->> Saved")
    else:
        print(data[0] +"   -->> Duplicated")

出现以下错误：

 Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
127.0.0.1 - - [03/Sep/2020 03:53:19] "GET / HTTP/1.1" 400 -
[2020-09-03 03:53:32,952] ERROR in app: Exception on / [GET]
Traceback (most recent call last):
  File "C:\Users\Alahram\anaconda3\lib\site-packages\flask\app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "C:\Users\Alahram\anaconda3\lib\site-packages\flask\app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "C:\Users\Alahram\anaconda3\lib\site-packages\flask\app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "C:\Users\Alahram\anaconda3\lib\site-packages\flask\_compat.py", line 39, in reraise
    raise value
  File "C:\Users\Alahram\anaconda3\lib\site-packages\flask\app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "C:\Users\Alahram\anaconda3\lib\site-packages\flask\app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "<ipython-input-28-c14cf8a20a1c>", line 15, in home
    get_article_details(URL)
  File "<ipython-input-28-c14cf8a20a1c>", line 35, in get_article_details
    save_data(data)
  File "<ipython-input-28-c14cf8a20a1c>", line 41, in save_data
    cur.execute(" " "INSERT INTO shereen.articles VALUES" " "+str(data))
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\cursors.py", line 170, in execute
    result = self._query(query)
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\cursors.py", line 328, in _query
    conn.query(q)
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\connections.py", line 516, in query
    self._affected_rows = self._read_query_result(unbuffered=unbuffered)
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\connections.py", line 727, in _read_query_result
    result.read()
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\connections.py", line 1066, in read
    first_packet = self.connection._read_packet()
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\connections.py", line 683, in _read_packet
    packet.check_error()
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\protocol.py", line 220, in check_error
    err.raise_mysql_exception(self._data)
  File "C:\Users\Alahram\anaconda3\lib\site-packages\pymysql\err.py", line 109, in raise_mysql_exception
    raise errorclass(errno, errval)
pymysql.err.InternalError: (1366, "Incorrect string value: '\\xD8\\xA7\\xD9\\x84\\xD9\\x85...' for column 'title' at row 1")
127.0.0.1 - - [03/Sep/2020 03:53:32] "GET /?url=https://www.almasryalyoum.com/news/details/1994354 HTTP/1.1" 500 -

Answer 1

不要通过将字符串连接在一起来编写 SQL 查询，这是 SQL 注入的攻击向量。 使用字符串插值并将值作为下一个参数传递给execute()按预期，即：

cur.execute("SELECT * FROM shereen.articles WHERE URL=%s", (data[0],))

和：

cur.execute("INSERT INTO shereen.articles VALUES(%s, %s, %s)", data) # in case `data` has three values

这样做将解决您的问题和您甚至不知道的 SQL 注入问题。