sqlalchemy execute 使用参数化占位符执行 sql 语句 避免 sql 注入

创建日期: 2024-09-26 16:34 | 作者: 风波 | 浏览次数: 19 | 分类: SQLAlchemy

来源:通义千问 AI

参数占位符使用方式

import sqlalchemy
from sqlalchemy import orm
from sqlalchemy.sql import text

def get_session(url=None):
    engine = sqlalchemy.create_engine(url)
    Sess = orm.sessionmaker(bind=engine)
    session = Sess()

    return session


dbsess = get_session("mysql+pymysql://username:password@hostname:3306/dbname")

keyword = "hello"
rows = dbsess.execute(text(f"select * from tablename where upper(name) like upper(:keyword) "), {"keyword": f"%{keyword}%"})

原答案

from sqlalchemy import create_engine, text
from sqlalchemy.orm import sessionmaker

# 假设你已经配置好了数据库连接
engine = create_engine('your_database_url')
Session = sessionmaker(bind=engine)
session = Session()

# 使用参数化查询的例子
user_id = 123
sql = text("SELECT * FROM users WHERE id = :id")
result = session.execute(sql, {"id": user_id})

# 处理结果
for row in result:
    print(row)

# 确保关闭会话
session.close()

或者

from sqlalchemy import bindparam

# 如果你想重用同一个查询对象并改变参数
sql_with_params = text("SELECT * FROM users WHERE id = :id").bindparams(
    bindparam('id', type_=Integer)
)

# 执行带有不同参数的相同查询
for user_id in [123, 456, 789]:
    result = session.execute(sql_with_params, {"id": user_id})
    for row in result:
        print(row)

# 关闭会话
session.close()
19 浏览
18 爬虫
0 评论