1064, "您的 SQL 语法有错误" 插入(另一个)

Question

我的 IDE 出现以下错误：

MySQLdb._exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2102@lionstate.edu', '88zlsj5j', 'Kristopher O'Connell', '21', 'F', 'CMPSC', '77' at line 1")

这是导致错误的部分代码：

for a, b, c, d, e ,f, g, h in zip(df_stu['Email'], df_stu['Password'], df_stu['Full Name'], df_stu['Age'], df_stu['Gender'], df_stu['Major'], df_stu['Street'], df_stu['Zip']):
    cursor.execute("INSERT INTO LSU.Student (Semail, Spassword, Sname, Sage, Sgender, Smajor, Sstreet, Szipcode) "
                   "VALUES ('%s', '%s', '%s', '%d', '%s', '%s', '%s', '%d')" % (a, b, c, d, e, f, g, h))

这是我的 CREATE TABLE：

cursor.execute("CREATE TABLE IF NOT EXISTS LSU.Student (Semail CHAR(50), Spassword CHAR(20), Sname CHAR(50), "
               "Sage INT, Sgender CHAR(5), Smajor CHAR(50), Sstreet CHAR(50), Szipcode INT, PRIMARY KEY (Semail))")

这在我看来是正确的，但 IDE 一直说存在语法错误。

Answer 1

'Kristopher O'Connell' 中的单引号 (') 会干扰查询吗？

Answer 2

考虑parameterization，这是高度建议和推荐的行业最佳实践方法，可避免恶意用户注入 SQL；可能会中断查询执行的引号和特殊字符；和不可读/不可维护的代码，因为数据与代码混合。

# PREPARED STATEMENT (ALL PLACEHOLDERS USING UNQUOTED %s PLACEHOLDERS, NO DATA)
sql = """INSERT INTO LSU.Student (Semail, Spassword, Sname, Sage, Sgender, Smajor, Sstreet, Szipcode)
         VALUES (%s, %s, %s, %s, %s, %s, %s, %s)
      """

for a, b, c, d, e ,f, g, h in zip(df_stu['Email'], df_stu['Password'], df_stu['Full Name'], 
                                  df_stu['Age'], df_stu['Gender'], df_stu['Major'], 
                                  df_stu['Street'], df_stu['Zip']):    
    # QUERY EXECUTION
    cursor.execute(sql, (a, b, c, d, e, f, g, h))

甚至考虑executemany 使用pandas 的DataFrame.values 方法，因为您似乎正在从数据框进行迭代。这避免了for 和zip 循环：

# PREPARED STATEMENT
sql = """INSERT INTO LSU.Student (Semail, Spassword, Sname, Sage, Sgender, Smajor, Sstreet, Szipcode)
         VALUES (%s, %s, %s, %s, %s, %s, %s, %s)
      """

# EXECUTE PARAMETERIZED QUERY
sql_cols = ['Email', 'Password', 'Full Name', 'Age', 'Gender', 'Major', 'Street', 'Zip']
cursor.executemany(sql, df_stu[sql_cols].values.tolist())   
conn.commit()