python自动化测试-D7-学习笔记之一（sql补充内容）

# sql 注入：原理是利用了引号
# sql语句中用了引号，可以构造 1=1这类永远为真 且合格的sql语句
#    例如 "select * from bt_stu where real_name='%s' and sex = %s"%(name,sex)  可以把name 的字符串写成  'or '1'='1
#         sql语句就变成了 select * from bt_stu where real_name =''or'1'='1' and sex = 0 直接把所有内容都打印出来了
#         或者 name 字符串构造成 name = " ' ;show tables;' -- "
#         sql语句就变成了 select * from bt_stu where real_name ='';show tables; '-- and sex = 0
#         同理，也可以把show tables 语句改成 删除 修改等操作
# 所以为了防止sql注入，我们写sql语句的时候，需要把%s的引号去掉
# 例如：sql = "select * from bt_stu where real_name=%s;",name

# 为了防止sql注入，那么我的op_mysql()的函数，参数则需要修改,用可变参数
# def test(a,b):
#     pass
#
# li = [1,2]
# d = {'la':'lala',
#      'li':'lili'}
# test(*li) # 可变参数  一一对应，1传给a，2传给b
# test(**d) # 可变参数 一一对应，la传给a，li传给b

import pymysql,json
import conn
def op_mysql(sql,*data,
             host=conn.MYSQL_HOST,
             user=conn.MYSQL_USER,
             password=conn.MYSQL_PASSWORD,
             db=conn.MYSQL_DB,
             port=conn.MYSQL_PORT,
             charset=conn.MYSQL_CHARSET
             ):

    conn = pymysql.connect(
        host=host,
        user=user,
        password=password,
        db=db,
        port=port,
        charset=charset
    )
    cur = conn.cursor(cursor=pymysql.cursors.DictCursor)
    cur.executemany(sql,data)
    sql_start = sql[:6].upper()

    if sql_start == 'SELECT':
        res_list = cur.fetchall()
        res = json.dumps(res_list,ensure_ascii=False)
    else:
        conn.commit()
        res = 'Exe Success'
    return res

name = 'admin'
money = 10000
sql = "select * from user WHERE username = %s AND money = %s;"
data = [name,money]
res=op_mysql(sql,data)
print(res)
sql1 = 'insert into seq (blue,red,date) values (%s,%s,%s)'
all_res = [
   ['16','01,02,03,05,09,06','2018-01-28'],
   ['15','01,02,03,05,09,06','2018-01-28'],
   ['14','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
   ['13','01,02,03,05,09,06','2018-01-28'],
]
res=op_mysql(sql1,*all_res) # 如果不加 * 调用函数的时候，因为函数里写的是 *data  data本身是一个元组，不加*传进去后，打印出来的data是一个三维的([[]],[[]],[[]])
# 加了 * 之后是把参数一个个的传进去，所以调用函数的时候，data变成了二维数组
print(res)
# 修改，删除