Python side story -- sql injection

1. Introduction to the concept of sql injection

The so-called SQL injection is to deceive the server to execute malicious SQL commands by inserting SQL commands into the web form submission or inputting the query string of the domain name or page request. Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the execution of the backend database engine, which can be used to enter (malicious) SQL statements in a web form to get a security vulnerability on a website. database, rather than executing SQL statements as the designer intended.

Second, the method of preventing sql injection in Python

import pymysql

def op_mysql(host,user,password,db,sql,port=3306,charset='utf8'):
	conn = pymysql.connect(host=host,user=user,
						   password=password,
						   port = port,
						   charset=charset,db=db)
	cur = conn.cursor(cursor=pymysql.cursors.DictCursor)
	cur.execute(sql)
	sql_start = sql[:6].upper() # Take the first 6 strings of sql to determine what type of sql statement it is
	if sql_start=='SELECT' :
		res = cur.fetchall()
	else:
		conn.commit()
		res = 'ok'
	cur.close()
	conn.close()
	return res

# conn = pymysql.connect(host='211.149.218.16',user='jxz',
# 					   password='123456',
# 					   port=3306,
# 					   charset='utf8',db='jxz')
# cur = conn.cursor(cursor=pymysql.cursors.DictCursor)
# name='zdq'
# # sql = 'select * from bt_stu where username="%s"; '%name
# sex='nv'
# cur.execute('select * from bt_stu where real_name="%s;"' % name) #Can be injected by sql
# cur.execute('select * from bt_stu where real_name=%s and sex = %s',(name,sex)) #Can prevent sql injection
# print(cur.fetchall())


def test(a,b):
	# print(a,b)
	pass
li = [1,2]
d = {'a':'ybq','b':'mpp'}
test (* li)
test(**d)
conn = pymysql.connect(host='211.149.218.16',user='jxz',
					   password='123456',
					   port=3306,
					   charset='utf8',db='jxz')
cur = conn.cursor(cursor=pymysql.cursors.DictCursor)

def op_mysql_new(sql,*data): #data will become a List after being passed in
	#Using the variable parameter *data to prevent sql injection
	print(sql)
	print(data)
	cur.execute(sql,data)
	# cur.execute('select',(name,id,name))
	# cur.execute('select * from user where name=%s',('haha'))
	print(cur.fetchall())
# sql = 'select * from user where username  = %s and sex=%s;'
# name='haha'
# sex='xxx'
# op_mysql_new(sql,name,sex)

conn = pymysql.connect(host='211.149.218.16',user='jxz',
					   password='123456',
					   port=3306,
					   charset='utf8',db='jxz')

cur = conn.cursor(cursor=pymysql.cursors.DictCursor)

sql = 'insert into seq (blue,red,date) values (%s,%s,%s)'
all_res = [
	['16','01,02,03,05,09,06','2018-01-28'],
	['15','01,02,03,05,09,06','2018-01-28'],
	['14','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
	['13','01,02,03,05,09,06','2018-01-28'],
]
cur.executemany(sql,all_res) #Batch execution
conn.commit()