[DB-SIG] mysql module embeds params in command string

Michael Bayer mike_mp at zzzcomputing.com
Thu Jul 18 16:08:25 CEST 2013

On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:

> I feel I need to post this now and then in hopes I find someone who
> can do something about it.  This might even be worth some PSF funding?
> I am not a security expert, I am not qualified to asses the risk, it
> doesn't matter if I consider this a vulnerability.  That said, I know
> it is a problem that should be fixed.
> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
> self._query(query)
> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
> Yes: the mysql python module that everyone uses does string
> substitution to combine the command and parameters into a command with
> embedded constants.
> I opened a bug against it years ago.  I looked at fixing it, but that
> lead me into coercing python values into whatever the mysql client lib
> does, and that is not something I should be doing.

Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:


I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.

Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.

More information about the DB-SIG mailing list