python的引用錯誤 - 使用pymssql

Question

我試圖用python 2.5.2來執行下面的代碼。該腳本正在建立連接並創建表，但隨後出現以下錯誤。

腳本

import pymssql 
conn = pymssql.connect(host='10.103.8.75', user='mo', password='the_password', database='SR_WF_MODEL') 
cur = conn.cursor() 
cur.execute('CREATE TABLE persons(id INT, name VARCHAR(100))') 
cur.executemany("INSERT INTO persons VALUES(%d, %s)", \ 
    [ (1, 'John Doe'), (2, 'Jane Doe') ]) 
conn.commit() 

cur.execute("SELECT * FROM persons WHERE salesrep='%s'", 'John Doe') 
row = cur.fetchone() 
while row: 
    print "ID=%d, Name=%s" % (row[0], row[1]) 
    row = cur.fetchone() 

cur.execute("SELECT * FROM persons WHERE salesrep LIKE 'J%'") 

conn.close() 

錯誤

Traceback (most recent call last): 
    File "connect_to_mssql.py", line 9, in <module> 
    cur.execute("SELECT * FROM persons WHERE salesrep='%s'", 'John Doe') 
    File "/var/lib/python-support/python2.5/pymssql.py", line 126, in execute 
    self.executemany(operation, (params,)) 
    File "/var/lib/python-support/python2.5/pymssql.py", line 152, in executemany 
    raise DatabaseError, "internal error: %s" % self.__source.errmsg() 
pymssql.DatabaseError: internal error: None 

有什麼建議？另外，你如何閱讀回溯錯誤，任何人都可以幫助我理解錯誤信息？你怎麼讀它？自下而上？

Answer 1

我想你是假設常規的Python字符串插值行爲，即：

>>> a = "we should never do '%s' when working with dbs" 
>>> a % 'this' 
"we should never do 'this' when working with dbs" 

內執行方法貌似正常的字符串格式化操作，但是這更多的是方便或記憶的%操作;您的代碼應閱讀：

cur.execute("SELECT * FROM persons WHERE salesrep=%s", 'John Doe')

不帶引號，這將與像奧賴利名工作，並有助於防止每個數據庫適配器設計SQL注入。這實際上就是數據庫適配器的用途 - 將python對象轉換爲sql;它會知道如何引用一個字符串，並正確逃生標點符號等，如果你沒有它的工作：

>>> THING_ONE_SHOULD_NEVER_DO = "select * from table where cond = '%s'" 
>>> query = THING_ONE_SHOULD_NEVER_DO % 'john doe' 
>>> query 
"select * from table where cond = 'john doe'" 
>>> cur.execute(query) 

但是這是不好的做法。