I've run in to a problem i don't know how to solve.
我遇到了一个我不知道如何解决的问题。
I have this line:
我有这条线:
parse = cur.execute("SELECT * FROM testdb WHERE Match(name) AGAINST ('"The.New.York.Times"' IN BOOLEAN MODE);")
If I run:
如果我跑:
parse = cur.execute("SELECT * FROM testdb WHERE Match(name) AGAINST ('"The.New.York.Times"' IN BOOLEAN MODE);")
in mysql console, it works. But I guess python doesn't like the '"The.New.York.Times"' the quotes. How do I solve that?
在mysql控制台中,它的工作原理。但我猜python不喜欢“The.New.York.Times”的引号。我该如何解决?
And also, how would i in python make that search string a variable? Something along the lines of
而且,我如何在python中将搜索字符串变为变量?有点像
parse = cur.execute("SELECT * FROM testdb WHERE Match(name) AGAINST ('"%s"' IN BOOLEAN MODE);, var1")
?
1 个解决方案
#1
1
In order to avoid sql injections and get proper escaping, you should pass query variables as a second parameter to execute:
为了避免sql注入并获得正确的转义,您应该将查询变量作为第二个参数传递来执行:
param = '"The.New.York.Times"'
cur.execute("SELECT * FROM predb WHERE Match(name) AGAINST (%s IN BOOLEAN MODE)", (param, ))
#1
1
In order to avoid sql injections and get proper escaping, you should pass query variables as a second parameter to execute:
为了避免sql注入并获得正确的转义,您应该将查询变量作为第二个参数传递来执行:
param = '"The.New.York.Times"'
cur.execute("SELECT * FROM predb WHERE Match(name) AGAINST (%s IN BOOLEAN MODE)", (param, ))