From israel_tecinf at ibest.com.br Thu Jul 18 06:56:42 2013 From: israel_tecinf at ibest.com.br (ISRAEL DA-COSTA-HOMEM) Date: Thu, 18 Jul 2013 01:56:42 -0300 Subject: [DB-SIG] PEP 249 Message-ID: Good night, I installed 2.0 pymssql this link http://www.lfd.uci.edu/ ~ Gohlke / pythonlibs / # pymssql, but the following error occurred below. I uninstalled and installed version pymssql 1.0.2 which worked perfectly. What might have gone wrong? My py is 2.7.3. If I install using pip also have the same problem. I use Sql Server 2008 R2 and IDLE. Traceback (most recent call last): File "C:\Users\Israel\Desktop\local_sql.py", line 4, in con = pymssql.connect(host = 'localhost', user = 'sa', password = 'sa', database = 'teste_db') File "pymssql.pyx", line 556, in pymssql.connect (pymssql.c:7990) raise OperationalError(e[0]) OperationalError: (20009, 'Net-Lib error during Unknown error') Thanks in advance. -- *Israel Homem* -------------- next part -------------- An HTML attachment was scrubbed... URL: From mal at egenix.com Thu Jul 18 09:24:22 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 18 Jul 2013 09:24:22 +0200 Subject: [DB-SIG] pymssql error (was: PEP 249) In-Reply-To: References: Message-ID: <51E79826.4080308@egenix.com> On 18.07.2013 06:56, ISRAEL DA-COSTA-HOMEM wrote: > Good night, > > I installed 2.0 pymssql this link http://www.lfd.uci.edu/ ~ Gohlke / > pythonlibs / # pymssql, but the following error occurred below. I > uninstalled and installed version pymssql 1.0.2 which worked perfectly. > What might have gone wrong? > > My py is 2.7.3. If I install using pip also have the same problem. > I use Sql Server 2008 R2 and IDLE. > > > > Traceback (most recent call last): > File "C:\Users\Israel\Desktop\local_sql.py", line 4, in > con = pymssql.connect(host = 'localhost', user = 'sa', password = 'sa', > database = 'teste_db') > File "pymssql.pyx", line 556, in pymssql.connect (pymssql.c:7990) > raise OperationalError(e[0]) > OperationalError: (20009, 'Net-Lib error during Unknown error') It usually helps searching the net for the error string :-) http://code.google.com/p/pymssql/issues/detail?id=74 http://pyyou.wordpress.com/2009/02/01/install-pymssql-and-how-to-deal-with-db-lib-error-message-20009-severity-9/ http://stackoverflow.com/questions/15706078/pymssql-python-connection-string If one of those links don't help, I'd suggest contacting the package author or filing a bug report. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 18 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From carl at personnelware.com Thu Jul 18 15:38:24 2013 From: carl at personnelware.com (Carl Karsten) Date: Thu, 18 Jul 2013 08:38:24 -0500 Subject: [DB-SIG] mysql module embeds params in command string Message-ID: I feel I need to post this now and then in hopes I find someone who can do something about it. This might even be worth some PSF funding? I am not a security expert, I am not qualified to asses the risk, it doesn't matter if I consider this a vulnerability. That said, I know it is a problem that should be fixed. query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) self._query(query) http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 Yes: the mysql python module that everyone uses does string substitution to combine the command and parameters into a command with embedded constants. I opened a bug against it years ago. I looked at fixing it, but that lead me into coercing python values into whatever the mysql client lib does, and that is not something I should be doing. -- Carl K From mal at egenix.com Thu Jul 18 15:55:42 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 18 Jul 2013 15:55:42 +0200 Subject: [DB-SIG] mysql module embeds params in command string In-Reply-To: References: Message-ID: <51E7F3DE.1080309@egenix.com> Carl Karsten wrote: > I feel I need to post this now and then in hopes I find someone who > can do something about it. This might even be worth some PSF funding? > > I am not a security expert, I am not qualified to asses the risk, it > doesn't matter if I consider this a vulnerability. That said, I know > it is a problem that should be fixed. > > query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) > self._query(query) > > http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 > > Yes: the mysql python module that everyone uses does string > substitution to combine the command and parameters into a command with > embedded constants. > > I opened a bug against it years ago. I looked at fixing it, but that > lead me into coercing python values into whatever the mysql client lib > does, and that is not something I should be doing. As long as the encoders properly quote all parameter values, such an operation should be fine, but I agree: this would probably need an audit by a MySQL expert who has intimate knowledge about all the different quoting rules MySQL supports. Aside: I don't know anything about the MySQL client C API, but the above strikes me as a rather inefficient way of passing parameters to the database. Doesn't the MySQL client lib offer a way to send the SQL and the parameters as logically separate items to the database server ? -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mike_mp at zzzcomputing.com Thu Jul 18 16:08:25 2013 From: mike_mp at zzzcomputing.com (Michael Bayer) Date: Thu, 18 Jul 2013 10:08:25 -0400 Subject: [DB-SIG] mysql module embeds params in command string In-Reply-To: References: Message-ID: On Jul 18, 2013, at 9:38 AM, Carl Karsten wrote: > I feel I need to post this now and then in hopes I find someone who > can do something about it. This might even be worth some PSF funding? > > I am not a security expert, I am not qualified to asses the risk, it > doesn't matter if I consider this a vulnerability. That said, I know > it is a problem that should be fixed. > > query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) > self._query(query) > > http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 > > Yes: the mysql python module that everyone uses does string > substitution to combine the command and parameters into a command with > embedded constants. > > I opened a bug against it years ago. I looked at fixing it, but that > lead me into coercing python values into whatever the mysql client lib > does, and that is not something I should be doing. Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3: http://dev.mysql.com/doc/connector-python/en/ I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well. It's worth seeing what approach it takes to bound parameters internally. Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql. I've tested all of these and they all work pretty well. From carl at personnelware.com Fri Jul 19 05:03:54 2013 From: carl at personnelware.com (Carl Karsten) Date: Thu, 18 Jul 2013 22:03:54 -0500 Subject: [DB-SIG] mysql module embeds params in command string In-Reply-To: References: Message-ID: Huh, I didn't know there were any other options. I wonder why this says this: MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is required for full MySQL support in Django. https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer wrote: > > On Jul 18, 2013, at 9:38 AM, Carl Karsten wrote: > >> I feel I need to post this now and then in hopes I find someone who >> can do something about it. This might even be worth some PSF funding? >> >> I am not a security expert, I am not qualified to asses the risk, it >> doesn't matter if I consider this a vulnerability. That said, I know >> it is a problem that should be fixed. >> >> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) >> self._query(query) >> >> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 >> >> Yes: the mysql python module that everyone uses does string >> substitution to combine the command and parameters into a command with >> embedded constants. >> >> I opened a bug against it years ago. I looked at fixing it, but that >> lead me into coercing python values into whatever the mysql client lib >> does, and that is not something I should be doing. > > > Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3: > > http://dev.mysql.com/doc/connector-python/en/ > > I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well. It's worth seeing what approach it takes to bound parameters internally. > > Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql. I've tested all of these and they all work pretty well. > > -- Carl K From mike_mp at zzzcomputing.com Fri Jul 19 05:54:26 2013 From: mike_mp at zzzcomputing.com (Michael Bayer) Date: Thu, 18 Jul 2013 23:54:26 -0400 Subject: [DB-SIG] mysql module embeds params in command string In-Reply-To: References: Message-ID: <4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com> If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py" module with a big "import MySQLdb" hardcoded into it. We've supported many DBAPIs per database for so long I've forgotten about that old issue. Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch. On Jul 18, 2013, at 11:03 PM, Carl Karsten wrote: > Huh, I didn't know there were any other options. I wonder why this says this: > > MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is > required for full MySQL support in Django. > > https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb > > > > On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer wrote: >> >> On Jul 18, 2013, at 9:38 AM, Carl Karsten wrote: >> >>> I feel I need to post this now and then in hopes I find someone who >>> can do something about it. This might even be worth some PSF funding? >>> >>> I am not a security expert, I am not qualified to asses the risk, it >>> doesn't matter if I consider this a vulnerability. That said, I know >>> it is a problem that should be fixed. >>> >>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) >>> self._query(query) >>> >>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 >>> >>> Yes: the mysql python module that everyone uses does string >>> substitution to combine the command and parameters into a command with >>> embedded constants. >>> >>> I opened a bug against it years ago. I looked at fixing it, but that >>> lead me into coercing python values into whatever the mysql client lib >>> does, and that is not something I should be doing. >> >> >> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3: >> >> http://dev.mysql.com/doc/connector-python/en/ >> >> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well. It's worth seeing what approach it takes to bound parameters internally. >> >> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql. I've tested all of these and they all work pretty well. >> >> > > > > -- > Carl K From carl at personnelware.com Fri Jul 19 06:06:50 2013 From: carl at personnelware.com (Carl Karsten) Date: Thu, 18 Jul 2013 23:06:50 -0500 Subject: [DB-SIG] mysql module embeds params in command string In-Reply-To: <4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com> References: <4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com> Message-ID: That 1/2 answers my question - and it sounds correct for what you are saying. But I am wondering why they picked that one. Yeah Yeah "Ask them" is the obvious answer :) I am also wondering why so many exist. I would think after a year or 2 they would all merge together. I have trouble trying to dream up 2 mutually exclusive features. On Thu, Jul 18, 2013 at 10:54 PM, Michael Bayer wrote: > If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py" module with a big "import MySQLdb" hardcoded into it. We've supported many DBAPIs per database for so long I've forgotten about that old issue. > > Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch. > > On Jul 18, 2013, at 11:03 PM, Carl Karsten wrote: > >> Huh, I didn't know there were any other options. I wonder why this says this: >> >> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is >> required for full MySQL support in Django. >> >> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb >> >> >> >> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer wrote: >>> >>> On Jul 18, 2013, at 9:38 AM, Carl Karsten wrote: >>> >>>> I feel I need to post this now and then in hopes I find someone who >>>> can do something about it. This might even be worth some PSF funding? >>>> >>>> I am not a security expert, I am not qualified to asses the risk, it >>>> doesn't matter if I consider this a vulnerability. That said, I know >>>> it is a problem that should be fixed. >>>> >>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) >>>> self._query(query) >>>> >>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 >>>> >>>> Yes: the mysql python module that everyone uses does string >>>> substitution to combine the command and parameters into a command with >>>> embedded constants. >>>> >>>> I opened a bug against it years ago. I looked at fixing it, but that >>>> lead me into coercing python values into whatever the mysql client lib >>>> does, and that is not something I should be doing. >>> >>> >>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3: >>> >>> http://dev.mysql.com/doc/connector-python/en/ >>> >>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well. It's worth seeing what approach it takes to bound parameters internally. >>> >>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql. I've tested all of these and they all work pretty well. >>> >>> >> >> >> >> -- >> Carl K > -- Carl K From mike_mp at zzzcomputing.com Fri Jul 19 16:53:54 2013 From: mike_mp at zzzcomputing.com (Michael Bayer) Date: Fri, 19 Jul 2013 10:53:54 -0400 Subject: [DB-SIG] mysql module embeds params in command string In-Reply-To: References: <4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com> Message-ID: On Jul 19, 2013, at 12:06 AM, Carl Karsten wrote: > That 1/2 answers my question - and it sounds correct for what you are saying. > > But I am wondering why they picked that one. Yeah Yeah "Ask them" > is the obvious answer :) oh, well MySQLdb has been around way longer than all the others. Four (maybe even two or three) years ago all those other drivers didn't exist yet. > > I am also wondering why so many exist. I would think after a year or > 2 they would all merge together. > I have trouble trying to dream up 2 > mutually exclusive features. my impression is that none of them are really targeting features, they are all targeting implementations. OurSQL uses a different set of MySQL APis internally (I don't know the details) which supposedly grants significant performance increases. PyMySQL targets the "written in pure Python crowd", i.e. no C code, I guess for Pypy, easier builds on windows. MySQL-connector-Python I'm not as sure about, it seems to be related to the MySQL project itself and maybe is some kind of attempt to write the code differently, not sure, and cymysql I only know about because the guy's been emailing me dialect updates, it uses Cython, so I imagine the idea there is that it's written in C but is easier to develop and maintain vs. a "raw C" implementation. > > On Thu, Jul 18, 2013 at 10:54 PM, Michael Bayer > wrote: >> If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py" module with a big "import MySQLdb" hardcoded into it. We've supported many DBAPIs per database for so long I've forgotten about that old issue. >> >> Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch. >> >> On Jul 18, 2013, at 11:03 PM, Carl Karsten wrote: >> >>> Huh, I didn't know there were any other options. I wonder why this says this: >>> >>> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is >>> required for full MySQL support in Django. >>> >>> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb >>> >>> >>> >>> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer wrote: >>>> >>>> On Jul 18, 2013, at 9:38 AM, Carl Karsten wrote: >>>> >>>>> I feel I need to post this now and then in hopes I find someone who >>>>> can do something about it. This might even be worth some PSF funding? >>>>> >>>>> I am not a security expert, I am not qualified to asses the risk, it >>>>> doesn't matter if I consider this a vulnerability. That said, I know >>>>> it is a problem that should be fixed. >>>>> >>>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) >>>>> self._query(query) >>>>> >>>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 >>>>> >>>>> Yes: the mysql python module that everyone uses does string >>>>> substitution to combine the command and parameters into a command with >>>>> embedded constants. >>>>> >>>>> I opened a bug against it years ago. I looked at fixing it, but that >>>>> lead me into coercing python values into whatever the mysql client lib >>>>> does, and that is not something I should be doing. >>>> >>>> >>>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3: >>>> >>>> http://dev.mysql.com/doc/connector-python/en/ >>>> >>>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well. It's worth seeing what approach it takes to bound parameters internally. >>>> >>>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql. I've tested all of these and they all work pretty well. >>>> >>>> >>> >>> >>> >>> -- >>> Carl K >> > > > > -- > Carl K