import mysqldbconn=MySQLdb.connect(user='root',passwd='root')cur=conn.cursor(

1. import mysqldb
2.  
3. conn=MySQLdb.connect(user='root',passwd='root')
4. cur=conn.cursor()
5. sql = "select user from mysql.user where user='%s' and password = '%s' ";
6. cur.execute(sql % ('aaa','aaa')) # 结果：0L
7.  
8. ##### SQL注入的情形 #####
9. cur.execute(sql % ("aaa","aaa' or '' ='")) #SQL注入, 执行结果：3L
10. cur._executed #打印刚执行的SQL
11. # "select user from mysql.user where user='aaa' and password = 'aaa' or '' ='' "
12. cur.fetchall()
13. # (('root',), ('root',), ('root',))
14.  
15.  
16. ##### 防止SQL注入的做法 #####
17. sql = "select user from mysql.user where user=%s and password = %s "
18. cur.execute(sql,("aaa","aaa' or '' ='")) #SQL注入失败。将变量作为 execute 的参数传入，execute函数会自动进行转义.
19. # 需要注意的是，所有的占位符都是%s, %s 两边不需要引号，execute会自动根据你传如参数的类型判断是否添加引号。
20. # 执行结果：0L
21. cur._executed
22. # "select user from mysql.user where user='aaa' and password = 'aaa\\' or \\'\\' =\\'' "