Of Stack

The pymysql module that operates mysql in Python

  • 2020-05-10 18:28:17
  • OfStack

preface

pymsql is the module in Python that operates MySQL, and it is used in almost the same way as MySQLdb. Currently, pymysql supports python3.x, while the latter does not support the 3.x version.

This article tested python version 2.7.11. mysql version: 5.6.24

1. Install 


pip3 install pymysql

2. Operation

1. Execute SQL 


#!/usr/bin/env pytho
# -*- coding:utf-8 -*-
import pymysql
 
#  Create a connection 
conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1', charset='utf8')
#  Create a cursor 
cursor = conn.cursor()
 
#  perform SQL , and returns the number of indented rows 
effect_row = cursor.execute("select * from tb7")
 
#  perform SQL , and returns the number of affected rows 
#effect_row = cursor.execute("update tb7 set pass = '123' where nid = %s", (11,))
 
#  perform SQL , and returns the number of affected rows , Many times 
#effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u1","u1pass","11111"),("u2","u2pass","22222")])
 
 
#  Commit, otherwise you cannot save new or modified data 
conn.commit()
 
#  Close the cursor 
cursor.close()
#  Close the connection 
conn.close()

Note: when Chinese exists, you need to add charset='utf8' to the connection, otherwise the Chinese will show scrambled code.

2. Obtain query data 


#! /usr/bin/env python
# -*- coding:utf-8 -*-
# __author__ = "TKQ"
import pymysql

conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1')
cursor = conn.cursor()
cursor.execute("select * from tb7")

#  Gets the order of the remaining results 1 Rows of data 
row_1 = cursor.fetchone()
print row_1
#  Before getting the rest of the results n Rows of data 
# row_2 = cursor.fetchmany(3)

#  Get all the data for the remaining results 
# row_3 = cursor.fetchall()

conn.commit()
cursor.close()
conn.close()

3. Get the newly created data and add ID

You can get the latest self-incrementing ID, which is the last data inserted, ID 


#! /usr/bin/env python
# -*- coding:utf-8 -*-
# __author__ = "TKQ"
import pymysql

conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1')
cursor = conn.cursor()
effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u3","u3pass","11113"),("u4","u4pass","22224")])
conn.commit()
cursor.close()
conn.close()
# Get on the id
new_id = cursor.lastrowid      
print new_id

4. Move the cursor

Operations are done with the cursor, and control of the cursor is required 


 Note: in fetch The data is in order and can be used cursor.scroll(num,mode) To move the cursor position, such as: 

cursor.scroll(1,mode='relative') #  Move relative to current position 
cursor.scroll(2,mode='absolute') #  Relative to the absolute position

 

5. fetch data type

The data acquired by default is of meta-ancestor type. If you want data of dictionary type, namely: 


#! /usr/bin/env python
# -*- coding:utf-8 -*-
# __author__ = "TKQ"
import pymysql

conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1')
# The cursor is set to the dictionary type 
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
cursor.execute("select * from tb7")

row_1 = cursor.fetchone()
print row_1  #{u'licnese': 213, u'user': '123', u'nid': 10, u'pass': '213'}

conn.commit()
cursor.close()
conn.close()

6. Call the stored procedure

a, calling a no-argument stored procedure 


#! /usr/bin/env python
# -*- coding:utf-8 -*-
# __author__ = "TKQ"

import pymysql

conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1')
# The cursor is set to the dictionary type 
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)
# Parameterless stored procedure 
cursor.callproc('p2')  # Is equivalent to cursor.execute("call p2()")

row_1 = cursor.fetchone()
print row_1


conn.commit()
cursor.close()
conn.close()

b, call the parameter stored procedure 


#! /usr/bin/env python
# -*- coding:utf-8 -*-
# __author__ = "TKQ"

import pymysql

conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1')
cursor = conn.cursor(cursor=pymysql.cursors.DictCursor)

cursor.callproc('p1', args=(1, 22, 3, 4))
# Gets the parameters that are stored after execution , parameter @ At the beginning 
cursor.execute("select @p1,@_p1_1,@_p1_2,@_p1_3")  #{u'@_p1_1': 22, u'@p1': None, u'@_p1_2': 103, u'@_p1_3': 24}
row_1 = cursor.fetchone()
print row_1


conn.commit()
cursor.close()
conn.close()

3. About pymysql anti-injection

  1, string concatenation query, resulting in injection

Normal query statement: 


#! /usr/bin/env python
# -*- coding:utf-8 -*-
# __author__ = "TKQ"
import pymysql

conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1')
cursor = conn.cursor()
user="u1"
passwd="u1pass"
# The condition of a normally constructed statement 
sql="select user,pass from tb7 where user='%s' and pass='%s'" % (user,passwd)
#sql=select user,pass from tb7 where user='u1' and pass='u1pass'
row_count=cursor.execute(sql) row_1 = cursor.fetchone()
print row_count,row_1

conn.commit()
cursor.close()
conn.close()

Construct the injection statement: 


#! /usr/bin/env python
# -*- coding:utf-8 -*-
# __author__ = "TKQ"
import pymysql

conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1')
cursor = conn.cursor()

user="u1' or '1'-- "
passwd="u1pass"
sql="select user,pass from tb7 where user='%s' and pass='%s'" % (user,passwd)

# The concatenation statement is constructed into the following, the never true condition, at which point the injection is successful. So to avoid this situation you need to use pymysql Parameterized query provided. 
#select user,pass from tb7 where user='u1' or '1'-- ' and pass='u1pass'

row_count=cursor.execute(sql)
row_1 = cursor.fetchone()
print row_count,row_1


conn.commit()
cursor.close()
conn.close()

 

  2, avoid injection, use the parameterized statements provided by pymysql

Normal parameterized query 


#!/usr/bin/env pytho
# -*- coding:utf-8 -*-
import pymysql
 
#  Create a connection 
conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1', charset='utf8')
#  Create a cursor 
cursor = conn.cursor()
 
#  perform SQL , and returns the number of indented rows 
effect_row = cursor.execute("select * from tb7")
 
#  perform SQL , and returns the number of affected rows 
#effect_row = cursor.execute("update tb7 set pass = '123' where nid = %s", (11,))
 
#  perform SQL , and returns the number of affected rows , Many times 
#effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u1","u1pass","11111"),("u2","u2pass","22222")])
 
 
#  Commit, otherwise you cannot save new or modified data 
conn.commit()
 
#  Close the cursor 
cursor.close()
#  Close the connection 
conn.close()
0

Construct injection, parameterized query injection failed. 


#!/usr/bin/env pytho
# -*- coding:utf-8 -*-
import pymysql
 
#  Create a connection 
conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1', charset='utf8')
#  Create a cursor 
cursor = conn.cursor()
 
#  perform SQL , and returns the number of indented rows 
effect_row = cursor.execute("select * from tb7")
 
#  perform SQL , and returns the number of affected rows 
#effect_row = cursor.execute("update tb7 set pass = '123' where nid = %s", (11,))
 
#  perform SQL , and returns the number of affected rows , Many times 
#effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u1","u1pass","11111"),("u2","u2pass","22222")])
 
 
#  Commit, otherwise you cannot save new or modified data 
conn.commit()
 
#  Close the cursor 
cursor.close()
#  Close the connection 
conn.close()
1

Conclusion: when excute executes SQL statement, it must be parameterized. Otherwise, SQL injection vulnerability will be generated.

3. Use mysql storage process to dynamically execute SQL anti-injection

Anti-injection is automatically provided using MYSQL stored procedures and SQL is dynamically passed into stored procedure execution statements. 


#!/usr/bin/env pytho
# -*- coding:utf-8 -*-
import pymysql
 
#  Create a connection 
conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1', charset='utf8')
#  Create a cursor 
cursor = conn.cursor()
 
#  perform SQL , and returns the number of indented rows 
effect_row = cursor.execute("select * from tb7")
 
#  perform SQL , and returns the number of affected rows 
#effect_row = cursor.execute("update tb7 set pass = '123' where nid = %s", (11,))
 
#  perform SQL , and returns the number of affected rows , Many times 
#effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u1","u1pass","11111"),("u2","u2pass","22222")])
 
 
#  Commit, otherwise you cannot save new or modified data 
conn.commit()
 
#  Close the cursor 
cursor.close()
#  Close the connection 
conn.close()
2 

set @nid1=12;
set @nid2=15;
set @callsql = 'select * from tb7 where nid>? and nid<?';
CALL proc_sql(@nid1,@nid2,@callsql)

pymsql call 


#!/usr/bin/env pytho
# -*- coding:utf-8 -*-
import pymysql
 
#  Create a connection 
conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1', charset='utf8')
#  Create a cursor 
cursor = conn.cursor()
 
#  perform SQL , and returns the number of indented rows 
effect_row = cursor.execute("select * from tb7")
 
#  perform SQL , and returns the number of affected rows 
#effect_row = cursor.execute("update tb7 set pass = '123' where nid = %s", (11,))
 
#  perform SQL , and returns the number of affected rows , Many times 
#effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u1","u1pass","11111"),("u2","u2pass","22222")])
 
 
#  Commit, otherwise you cannot save new or modified data 
conn.commit()
 
#  Close the cursor 
cursor.close()
#  Close the connection 
conn.close()
4

4. Simplify the connection process with with

Closing the connection every time is cumbersome, and using context management simplifies the connection process 


#!/usr/bin/env pytho
# -*- coding:utf-8 -*-
import pymysql
 
#  Create a connection 
conn = pymysql.connect(host='127.0.0.1', port=3306, user='root', passwd='', db='tkq1', charset='utf8')
#  Create a cursor 
cursor = conn.cursor()
 
#  perform SQL , and returns the number of indented rows 
effect_row = cursor.execute("select * from tb7")
 
#  perform SQL , and returns the number of affected rows 
#effect_row = cursor.execute("update tb7 set pass = '123' where nid = %s", (11,))
 
#  perform SQL , and returns the number of affected rows , Many times 
#effect_row = cursor.executemany("insert into tb7(user,pass,licnese)values(%s,%s,%s)", [("u1","u1pass","11111"),("u2","u2pass","22222")])
 
 
#  Commit, otherwise you cannot save new or modified data 
conn.commit()
 
#  Close the cursor 
cursor.close()
#  Close the connection 
conn.close()
5

conclusion

The above is the whole content of pymysql module in Python. I hope it will be helpful for you to learn or use python. If you have any questions, please leave a message to communicate.

Related articles: