python--防止SQL注入

from pymysql import *


def main():
    # 创建Connextion连接
    conn = connect(host=‘localhost‘, port=3306, user=‘root‘, password=‘‘, database=‘test‘, charset=‘utf8‘)
    # 获取Cursor对象
    cursor = conn.cursor()
    param = "‘ or 1 = 1 or ‘1"
    sql = "select * from users where username = ‘%s‘" % (param,)
    count = cursor.execute(sql)
    print(count)
    # 结果是2 获取到数据库所有记录
    print(cursor.fetchall())
    # ((1, ‘张三‘, ‘男‘, 10), (2, ‘李四‘, ‘男‘, 10))
    count1 = cursor.execute("select * from users where username = %s", param)
    print(count1)
    # 结果是0



if __name__ == ‘__main__‘:
    main()