sql = "insert into " + tablename + " " sql += "values (" sql += "".join(i + "," for i in values)[:-1] sql += ")" try: self.db_session.execute(sql) self.db_session.commit() return 1 except: return 0 是的,你没有看错,没有任何过滤,他就把sql语句传进数据库了,从调用...