防止sql注入
阿新 • • 發佈:2020-11-25
大家注意下,凡是直接執行sql的,都要用引數傳入, 而不是字串替換,防止sql注入問題。****
sql_str = """SELECT id FROM schedule WHERE schedule_id in
(SELECT id FROM working_schedule WHERE path_id in
(SELECT working_schedule.path_id FROM schedule left JOIN working_schedule
ON
schedule.schedule_id=working_schedule.id WHERE schedule.id=%s AND schedule.company_id=%s))
schedule_id, company_id, '"' + schedule_time + '"', '"' + start_date_time + '"', '"' + end_date_time + '"')