2016-07-26 78 views
0

我試圖做使用下面的代碼在一個MySQL表命名N_NUMBER列的簡單檢索:Python的MySQLdb的語法錯誤看似正確的語法

from os.path import join, dirname 
from dotenv import load_dotenv 
import MySQLdb  

TABLE_NAME = 'testmaster' 

dotenv_path = join(dirname(__file__), '.env') 
load_dotenv(dotenv_path) # loads the .env 

dbName = os.environ.get('DB_NAME') 
mydb = MySQLdb.connect(host=os.environ.get('DB_HOST'), user=os.environ.get('DB_USER'), passwd=os.environ.get('DB_PASS'), db=dbName) 
cursor = mydb.cursor() 

cursor.execute("SELECT N_NUMBER FROM %s", (TABLE_NAME,)) 

我繼續每次都得到相同的回溯,這就是:

Traceback (most recent call last): 
    File "updateMaster.py", line 101, in <module> 
    cursor.execute("SELECT 'N_NUMBER' FROM %s", (TABLE_NAME,)) 
    File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute 
    self.errorhandler(self, exc, value) 
    File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler 
    raise errorclass, errorvalue 
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''testmaster'' at line 1") 

我也試圖與pyformat風格語法所推薦的文檔的.execute()方法,但仍然收到了同樣的錯誤。該pyformat風格看上去像:

cursor.execute("SELECT N_NUMBER FROM %(table_name)s", {'table_name':TABLE_NAME}) 

當我嘗試直接插入表名到字符串命令,該命令起作用,導致我懷疑它有事情做與%S。出了什麼問題?

+1

你不能參數表名:http://stackoverflow.com/questions/15255694/python-mysqldb-execute-table-variable(同去列名也是如此)。 – alecxe

+0

謝謝!我知道這個問題可能在某個地方問過,但我一直沒能找到它。 – RyMac

回答

2

您不能參數化表和列名稱。雖然被認識到的SQL Injection攻擊的可能性,而不是做:

cursor.execute("SELECT N_NUMBER FROM {}".format(TABLE_NAME)) 
+0

工作完美,謝謝:) – RyMac

+0

乾杯,隊友。快樂的編碼給你。 – bernie