1.escape_string

 

MySQLdb.escape_string(param)

'ascii' codec can't encode characters in position 0-2: ordinal not in range(128)

 # 因为用户输入的字符串的字符集是ascll,但是ascll不支持中文, 所以我们可以把python的默认字符集改成utf-8就可以了

2. excute参数化传递

 

cur.excute(sql, (str1,str2))

import MySQLdb

conn = MySQLdb.connect(host='localhost', user='root', passwd='', db='test')

param = 'aaa'

## 第一种

escape_param = MySQLdb.escape_string(param)
cur = conn.cursor()

cur.execute("select * form table where col="+escape_param+"")

cur.commit()

cur.close()

##第二种

cur = conn.cursor()

# 这是有效的，正确方式
  cur.execute('select * from table where col=%s',(param,))

# 这是无效的,只是普通的占位符替换
  cur.execute('select * from table where col=%s'% (param,))

cur.commit()

cur.close()