pymysql的使用1

import pymysql
#不要把自己的py文件起名叫pymysql。。
#否则会报错

# 连接数据库
conn = pymysql.connect(
    host = "localhost",
    user = "root",
    password = "",
    database = "s23",
    port = 3306,
    charset = 'utf8'
)
print(conn)
#cursor 游标对象
cur = conn.cursor()

user = input('请输入要查询的用户名')
pwd = input('请输入密码')
'''sql = 'select * from user where username = %s and pwd = %s'%(user,pwd)'''
#这句会报错 Unknown column 'alex' in 'where clause
#print(sql)
#打印出来看原因 ：  select * from user where username = alex and pwd = 123
#正常的语句 alex 要加引号
#正确写法
sql = 'select * from user where username = "%s" and pwd = "%s"'%(user,pwd)
print(sql)
retnum = cur.execute(sql)#执行sql语句
print(retnum)#受影响的行数
cur.close()#关闭游标
conn.close()#关闭连接

if retnum:
    print('登录成功')
else:
    print('登录失败')
#确实成功了，但是 上面的做法会存在sql注入
# 输入的时候 alex "-- ewqqrw
# 真实的语句 ：select * from user where username = "alex "-- ewqqrw" and pwd = "123"
#后面就被注释掉了
'''
请输入要查询的用户名a" or 1=1 -- wqqwe
请输入密码
select * from user where username = "a" or 1=1 -- wqqwe" and pwd = ""
#1=1 永远成立，登录成功
'''
#见2.防止sql注入