Notice
Recent Posts
Recent Comments
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
Tags
- ida
- idb2pat
- x64
- hex-rays
- Rat
- pytest
- ida pro
- debugging
- javascript
- NumPy Unicode Error
- h5py.File
- Python
- mock.patch
- Injection
- TensorFlow
- 포인터 매핑
- malware
- Analysis
- svn update
- error fix
- idapython
- open office xml
- ecma
- idapro
- commandline
- MySQL
- error
- why error
- Ransomware
- data distribution
Archives
- Today
- Total
13 Security Lab
python inserting single quotes (') around MySQL table name 본문
Computer Science/Programming
python inserting single quotes (') around MySQL table name
Maj0r Tom 2015. 12. 4. 18:00
Do not use SQL parameters for table names. SQL parameters are escaped by the database adapter to not be interpreted as anything but literal values.
You'll have to interpolate those yourself instead, but be absolutely certain that your table name does not hold untrusted data (prevent SQL injection attacks):
12 cur.execute("GRANT SELECT ON `project1`.`%s` TO `odbc`@`localhost`;" % row)cur.execute("GRANT SELECT ON `project1`.`%s` TO `odbc`@`%%`;" % row)
(where the % character in the grant has been escaped by doubling it to %%).
REF. :
http://stackoverflow.com/questions/15123001/python-inserting-single-quotes-around-mysql-table-name
하지만, 다른 문서에 따르면 `(backtick)을 쓰는 것은 mysql 표준이 아니며 , 이외에도 identifier를 표현하기 위한 방법에는 '(Single quotes) "(Double quotes) [(Bracket) 등이 있다.
개인적으로는 위 방법을 쓰는 것에는 한계가 있기 때문에 .replace("'","\\'")를 쓰는 것이 옳아 보인다.
+ 다른 방법
1
2
3
4
5
6
7
|
#conn = pymysql.connect()
h_query = conn.cursor()
var1 = 'AAA'
var2 = 'BBB'
var3 = 'CCC'
Query_Var = """INSERT INTO Test_Table (A, B, C) VALUES (%s, %s, %s)"""
Query_Result = h_query.execute(query=Query_var, args=(var1, var2, var3))
|
|
Comments