[DB-SIG] mysql module embeds params in command string

M.-A. Lemburg mal at egenix.com
Thu Jul 18 15:55:42 CEST 2013

Carl Karsten wrote:
> I feel I need to post this now and then in hopes I find someone who
> can do something about it.  This might even be worth some PSF funding?
> I am not a security expert, I am not qualified to asses the risk, it
> doesn't matter if I consider this a vulnerability.  That said, I know
> it is a problem that should be fixed.
>  query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>  self._query(query)
> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
> Yes: the mysql python module that everyone uses does string
> substitution to combine the command and parameters into a command with
> embedded constants.
> I opened a bug against it years ago.  I looked at fixing it, but that
> lead me into coercing python values into whatever the mysql client lib
> does, and that is not something I should be doing.

As long as the encoders properly quote all parameter values,
such an operation should be fine, but I agree: this would
probably need an audit by a MySQL expert who has intimate
knowledge about all the different quoting rules MySQL supports.

Aside: I don't know anything about the MySQL client C API,
but the above strikes me as a rather inefficient way of passing
parameters to the database. Doesn't the MySQL client lib offer
a way to send the SQL and the parameters as logically
separate items to the database server ?

Marc-Andre Lemburg

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the DB-SIG mailing list