python - 如何重构我的 python 以使用 SQL Prepared 语句？

考虑调整您的查询方法以接受参数输入并在cursor.execute. 这需要您替换 SQL 字符串中数据值的字符串格式

" WHERE username = '%s'" % (username)

带有一个没有数据的预准备语句，该语句稍后通过参数与数据绑定。

" WHERE username = %s"

不要将 unquoted%s与带引号的'%s'占位符混淆（在 Python 中不再推荐使用上面评论的后一种方法）。共：

# SELECT QUERIES
def get_all_results(q, p):                          # ADD NEW INPUT PARAMETER 
    cur = mysql.connection.cursor()
    cur.execute(q, p)                               # PASS BOTH IN EXECUTE CALL
    mysql.connection.commit()
    data = cur.fetchall()
    cur.close()
    return data

# UPDATE and INSERT QUERIES
def commit_results(q, p):                           # ADD NEW INPUT PARAMETER 
    cur = mysql.connection.cursor()
    cur.execute(q, p)                               # PASS BOTH IN EXECUTE CALL
    mysql.connection.commit()
    cur.close()

def get_user(username):
    q = "SELECT * FROM Users WHERE username = %s"   # PREPARED STATEMENT

    logging.debug("get_user query: {}".format(q))

    data = get_all_results(q, (username,))          # PASS PARAMETER AS TUPLE
    # data = get_all_results(q, [username])         # PASS PARAMETER AS LIST

    if len(data) == 1:
        user = User(*(data[0]))
    else:
        msg = "get_user: Something wrong happened with username:{}".format(username)
        logging.debug(msg)
        user = None

    return user

None如果调用传递类型不需要参数。

data = get_all_results(q, None)