我想在<td>
在下面的index.html頁面顯示從數據庫中的每一行:顯示新的頁面上的數據在Python
$def with(items)
<h1></h1>
<br/>
<br>
<table border="1">
<tr>
<th>Name</th>
<th>address</th>
<th>number</th>
</tr>
<tr>
<td>//want name here</td>
<td>//address here</td>
<td>//number here</td>
</tr>
</table>
app.py代碼:
import web
import MySQLdb
urls = (
'/', 'Index'
)
app = web.application(urls, globals())
render = web.template.render('templates/')
class Index(object):
def GET(self):
return render.hello_form()
def POST(self):
form = web.input(name="a", newname="s", number="d")
conn = MySQLdb.connect(host= "localhost", user="root", passwd="", db="testdb")
x = conn.cursor()
x.execute("SELECT * FROM details WHERE name = '%s'" % (form.name))
conn.commit()
items = x.fetchall()
for row in items:
conn.rollback()
conn.close()
return render.index(items)
if __name__ == "__main__":
app.run()
是,一個SQL注入我看到這裏? – Aif
我沒有得到你..?@ aif – Edison
如果名字=''union select'concat(login,':',password)from user where'admin'會發生什麼? (是的,這是僞代碼)請參閱https://www.owasp.org/index.php/SQL_Injection – Aif