# 存在sql注入
sql = """select * from info where code = '%s';""" % stock_code
# 避免通过stock_code进行sql注入
sql = """select * from info where code=%s;"""
cs.execute(sql, (stock_code,)) # 将stock_code以元组的方式传入
# 存在sql注入
sql = """select * from info where code = '%s';""" % stock_code
# 避免通过stock_code进行sql注入
sql = """select * from info where code=%s;"""
cs.execute(sql, (stock_code,)) # 将stock_code以元组的方式传入