sqlite3.OperationalError：靠近“s”：语法错误

Question

我正在制作一个不和谐的机器人。我尝试使用 SQLite3 数据库为我的机器人增加经济性。但是当我创建一个列时出现错误：

cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
sqlite3.OperationalError: near "s": syntax error

还有，这里是代码：

@client.event
async def on_ready():
    cursor.execute("""CREATE TABLE IF NOT EXISTS users (
        name TEXT,
        id INT,
        cash BIGINT,
        rep INT,
        xp INT,
        lvl INT,
        server_id INT
    )""")

    for guild in client.guilds:
            for member in guild.members:
                if cursor.execute(f"SELECT id FROM users WHERE id = {member.id}").fetchone() is None:
                    cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")
                else:
                    pass

        connection.commit()

Answer 1

Code injection bug! 考虑如果member 的字符串化是Foo's Bar 会发生什么。你最终会执行

INSERT INTO users VALUES ('Foo's Bar...
                            -- ^ Syntax error

我相信

cursor.execute(f"SELECT id FROM users WHERE id = {member.id}")
cursor.execute(f"INSERT INTO users VALUES ('{member}', {member.id}, 30, 0, 0, 1, {guild.id})")

应该是

cursor.execute("SELECT id FROM users WHERE id = ?", ( member.id, ))
cursor.execute("INSERT INTO users VALUES (?, ?, 30, 0, 0, 1, ?)",
   ( str(member), member.id, guild.id ) )