[英]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')
[英]Warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near
我正在將解析器xml編碼為mysql
錯誤的全名:
1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHA3871376-ABZ-1', '\xd0\x91\xd1\x80\xd0\xbe\xd0\xbd\xd0\xb7\xd0\xbe\xd0\xb2\xd0\xbe\xd0\xb5 \xd0\xbc\xd0\xb5\xd1\x82\xd0\xb0\xd0\xbb\xd0\xbb\xd0\xb8\xd1\x87\xd0\xb5\xd1\x81\xd0\xba\xd0\xbe\xd0\xb5 \xd0\xba\xd0\xbe\xd0\xbb\xd1\x8c\xd1\x86\xd0\xbe ' at line 1")
我有xml文件
<model>CHA3871376-ABZ-3</model>
我認為麻煩是編碼,但我正在努力
offer_model = item.getElementsByTagName("model")[0].firstChild.nodeValue.decode('utf-8')
sqlfillOffers = "INSERT INTO offers (offer_id, url, price, currency_id, typePrefix, vendor, model, description) VALUES ('"+str(offer_id) + "', '" + str(offer_url) + "', '" + str(offer_price) + "', '" + str(offer_CurrId) + "', '"+str(offer_typePrefix)+"', '"+str(offer_vendor)+"', '"+str(offer_model)+"', '"+str(offer_description)+"');"
怎么了?
不要使用字符串插值來構建SQL; 你會引入錯誤並打開自己的SQL注入攻擊。
請改用SQL參數,讓數據庫適配器負責為您轉義值:
sqlfillOffers = (
"INSERT INTO offers (offer_id, url, price, currency_id, typePrefix, vendor, model, description) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, )"
)
cursor.execute(
sqlfilOffers,
(offer_id, offer_url, offer_price, offer_CurrId, offer_typePrefix, offer_vendor, offer_model, offer_description)
)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.