我想在<td>
在下面的index.html页面显示从数据库中的每一行:显示新的页面上的数据在Python
$def with(items)
<h1></h1>
<br/>
<br>
<table border="1">
<tr>
<th>Name</th>
<th>address</th>
<th>number</th>
</tr>
<tr>
<td>//want name here</td>
<td>//address here</td>
<td>//number here</td>
</tr>
</table>
app.py代码:
import web
import MySQLdb
urls = (
'/', 'Index'
)
app = web.application(urls, globals())
render = web.template.render('templates/')
class Index(object):
def GET(self):
return render.hello_form()
def POST(self):
form = web.input(name="a", newname="s", number="d")
conn = MySQLdb.connect(host= "localhost", user="root", passwd="", db="testdb")
x = conn.cursor()
x.execute("SELECT * FROM details WHERE name = '%s'" % (form.name))
conn.commit()
items = x.fetchall()
for row in items:
conn.rollback()
conn.close()
return render.index(items)
if __name__ == "__main__":
app.run()
是,一个SQL注入我看到这里? – Aif
我没有得到你..?@ aif – Edison
如果名字=''union select'concat(login,':',password)from user where'admin'会发生什么? (是的,这是伪代码)请参阅https://www.owasp.org/index.php/SQL_Injection – Aif