发表新帖
发表新帖

“%s” % format vs “{0}”.format() vs “?” format

后端 未结
关注
3 702
没有蜡笔的小新
没有蜡笔的小新 2020-12-08 16:42

In this post about SQLite, aaronasterling told me that

  • cmd = \"attach \\\"%s\\\" as toMerge\" % \"b.db\" : is wrong
  • cmd = \'attach
3条回答
  • 臣服心动
    臣服心动 (楼主)
    2020-12-08 17:07

    Because it is not being escaped. If you replaced the b.db with user input, it would leave you vulnerable to SQL injection.

    0 讨论(0)
 看不清?
提交回复
热议问题