修正sql注入

Question

我试图重建这个函数

def getStackArea(screen_area):
    db = postgresql.open(db_conf.connectionString())
    data = db.query("select stack_area from screen_coordinates where screen_area = " + screen_area + " and active = 1")
    return data[0]['stack_area']

至

def getStackArea(screen_area):
    db = postgresql.open(db_conf.connectionString())
    sql = "select stack_area from screen_coordinates where screen_area = ? and active = ?"
    row = db.query.first(sql, (screen_area,1))
    return data[0]['stack_area']

但是有syntax error at or near "and"。我做错了什么？第一种功能工作良好，但不安全。我使用py-postgresql

Answer 1

py-postgresql使用编号参数$1、$2等，而不是?作为占位符。

sql = "select stack_area from screen_coordinates where screen_area = $1 and active = $2"