防止sql注入

大家注意下，凡是直接执行sql的，都要用参数传入， 而不是字符串替换，防止sql注入问题。****

sql_str = """SELECT id FROM schedule WHERE schedule_id in
(SELECT id FROM working_schedule WHERE path_id in
(SELECT working_schedule.path_id FROM schedule left JOIN working_schedule
ON
schedule.schedule_id=working_schedule.id WHERE schedule.id=%s AND schedule.company_id=%s))
and time=%s and date>=%s and date<=%s""" % (
schedule_id, company_id, ‘"‘ + schedule_time + ‘"‘, ‘"‘ + start_date_time + ‘"‘, ‘"‘ + end_date_time + ‘"‘)

防止sql注入

原文：https://www.cnblogs.com/ami-miao/p/14037334.html