[DB-SIG] mysql module embeds params in command string
mal at egenix.com
Thu Jul 18 15:55:42 CEST 2013
Carl Karsten wrote:
> I feel I need to post this now and then in hopes I find someone who
> can do something about it. This might even be worth some PSF funding?
> I am not a security expert, I am not qualified to asses the risk, it
> doesn't matter if I consider this a vulnerability. That said, I know
> it is a problem that should be fixed.
> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
> Yes: the mysql python module that everyone uses does string
> substitution to combine the command and parameters into a command with
> embedded constants.
> I opened a bug against it years ago. I looked at fixing it, but that
> lead me into coercing python values into whatever the mysql client lib
> does, and that is not something I should be doing.
As long as the encoders properly quote all parameter values,
such an operation should be fine, but I agree: this would
probably need an audit by a MySQL expert who has intimate
knowledge about all the different quoting rules MySQL supports.
Aside: I don't know anything about the MySQL client C API,
but the above strikes me as a rather inefficient way of passing
parameters to the database. Doesn't the MySQL client lib offer
a way to send the SQL and the parameters as logically
separate items to the database server ?
Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the DB-SIG