嘿,我对这一切都很新,所以请原谅愚蠢:)
import os
import MySQLdb
import time
db = MySQLdb.connect(host="localhost", user="root", passwd="********", db="workspace")
cursor = db.cursor()
tailoutputfile = os.popen('tail -f syslog.log')
while 1:
x = tailoutputfile.readline()
if len(x)==0:
break
y = x.split()
if y[2] == 'BAD':
timestring = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(time.time()))
cursor.execute("INSERT INTO releases (date, cat, name) values (timestring, y[4], y[7]")
if y[2] == 'GOOD':
print y[4] + '\t' + y[7]
所以我运行程序,这是我得到的错误消息
user@machine:~/$ python reader.py
Traceback (most recent call last):
File "reader.py", line 17, in ?
cursor.execute("INSERT INTO releases (date, cat, name) values (timestring, y[4], y[7]")
File "/usr/lib/python2.4/site-packages/MySQLdb/cursors.py", line 163, in execute
self.errorhandler(self, exc, value)
File "/usr/lib/python2.4/site-packages/MySQLdb/connections.py", line 35, in defaulterrorhandler
raise errorclass, errorvalue
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[4], y[7]' at line 1")
user@machine:~/$
所以我假设错误显然来自SQL语句
cursor.execute("INSERT INTO releases (date, cat, name) values (timestring, y[4], y[7]")
这是y [4]和y [7]的样子.
YES Mail.Sent.To.User:user@work.com.11.2.2008:23.17
这个错误是否发生是因为我在尝试将它们插入数据库之前应该转义这些值?还是我完全忽略了这一点?
任何帮助,将不胜感激!提前致谢.
正如所指出的那样,您无法将Python变量值复制到查询中,只能将它们的名称复制到MySQL中.
但是直接字符串连接选项:
cursor.execute("INSERT INTO releases (date, cat, name) VALUES ('%s', '%s', '%s')" % (timestring, y[4], y[7]))
是危险的,不应该使用.如果这些字符串具有像'或\ in这样的越界字符,那么你会得到一个SQL注入导致可能的安全性泄露.也许在你的特定应用程序中永远不会发生,但它仍然是一个非常糟糕的做法,初学者的SQL教程真的需要停止使用.
使用MySQLdb的解决方案是让DBAPI层负责为您插入和转义参数值到SQL,而不是自己尝试%:
cursor.execute('INSERT INTO releases (date, cat, name) VALUES (%s, %s, %s)', (timestring, y[4], y[7]))
京公网安备 11010802040832号 | 京ICP备19059560号-6 