[288]关于MySQL的1064错误

时间:2024-10-25 12:01:23

MySQL的1064错误是SQL语句写的有问题时出现的,即SQL的语法错误。笔者常常使用MySQL-python这个库来对MySQL进行操作,代码中报这个错误的一般是(sql, param)这一行。

这种参数式执行SQL语句的用法可以有效防止SQL注入的安全问题,但是为什么MySQL会报错呢?如果你确认SQL写的没问题,检查一下SQL语句中是否使用了引号。

在使用(sql, param)时,MySQL-python库会自动转义含有%s的字符串,所以不要画蛇添足在SQL语句中给%s加引号了,会报1064的错误滴!

另外也有许多人使用有SQL注入隐患的(sql % param)这种用法,这样是可以给%s加引号的。

但是安全问题孰重孰轻,相信各位自有判断。


在使用pymysql对mysql进行操作时,使用%s给excute传入参数时出错,错误代码如下:

table="huxing_table"
key="house_structure_page_url"
value="test"
cursor=()
("INSERT INTO %s (%s) VALUES(%s)",(table,key,value))
()
()

错误提示为:

Traceback (most recent call last):
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 112, in execute
    result = self._query(query)
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 230, in _query
    (q)
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 607, in query
    self._affected_rows = self._read_query_result()
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 691, in _read_query_result
    ()
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 869, in read
    self.first_packet = .read_packet()
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 686, in read_packet
    packet.check_error()
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 328, in check_error
    raise_mysql_exception(self.__data)
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 142, in raise_mysql_exception
    _check_mysql_exception(errinfo)
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 135, in _check_mysql_exception
    raise errorclass(errno,errorvalue)
: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''huxing_table' ('house_structure_page_url') VALUES('test')' at line 1")

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/huangjing/downHouseInfo/", line 238, in <module>
    ("INSERT INTO %s (%s) VALUES(%s)",(table,key,value))
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 117, in execute
    (self, exc, value)
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 189, in defaulterrorhandler
    raise errorclass(errorvalue)
: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''huxing_table' ('house_structure_page_url') VALUES('test')' at line 1")
Exception ignored in: <bound method Cursor.__del__ of < object at 0x10585ebe0>>
Traceback (most recent call last):
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 41, in __del__
  File "/Users/huangjing/Library/Python/3.5/lib/python/site-packages/pymysql/", line 47, in close
ReferenceError: weakly-referenced object no longer exists

但是,尝试执行

("INSERT INTO huxing_table (house_structure_page_url) VALUES(%s)",(value))

时,没有错误提示。

在错误提示第31行发现,执行的mysql语句中用%s替换的参数外加上了单引号。

''huxing_table' ('house_structure_page_url') VALUES('test')'

在mysql命令行终端进行测试,执行语句

mysql> insert into huxing_table (`house_structure_page_url`) values("test");
Query OK, 1 row affected (0.00 sec)

没有错误提示。而执行

mysql> insert into huxing_table ('house_structure_page_url') values("test");
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''house_structure_page_url') values("test")' at line 1

则有错误提示。再进行验证

mysql> insert into huxing_table (house_structure_page_url) values('test');
Query OK, 1 row affected (0.00 sec)

不出错。

mysql> insert into 'huxing_table' (house_structure_page_url) values("test");
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''huxing_table' (house_structure_page_url) values("test")' at line 1

出错,说明在mysql的insert语句中表名和列名外都不能加单引号,而值则可以加单引号。

就直接写语句好了。
最后的解决办法是插入一条数据写一条sql语句。

参考:/p/92026862a0e5
/p/855fdb50c26c