更新时间:2021-11-27 09:12:53
不要通过字符串格式进行SQL查询,请使用驱动程序的功能来准备SQL查询并将参数传递到查询中-这样,您可以避免SQL注入,并且可以透明处理不同类型的传递参数:
Don't make your SQL queries via string formatting, use the driver's ability to prepare SQL queries and pass parameters into the query - this way you would avoid SQL injections and it would make handling of passing parameters of different types transparent:
query = """
INSERT INTO
db.{table}
SELECT DISTINCT
latitude, longitude, port
FROM
MessageType1
WHERE
latitude >= ? AND
latitude <= ? AND
longitude >= ? AND
longitude <= ?
""".format(table=tablename)
cur.execute(query, (bottomlat, toplat, bottomlong, toplong))