[DB-SIG] mysql module embeds params in command string

[Carl Karsten]

Huh, I didn't know there were any other options.  I wonder why this says this:

MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
required for full MySQL support in Django.

https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb



On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>
> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>
>> I feel I need to post this now and then in hopes I find someone who
>> can do something about it.  This might even be worth some PSF funding?
>>
>> I am not a security expert, I am not qualified to asses the risk, it
>> doesn't matter if I consider this a vulnerability.  That said, I know
>> it is a problem that should be fixed.
>>
>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>> self._query(query)
>>
>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>
>> Yes: the mysql python module that everyone uses does string
>> substitution to combine the command and parameters into a command with
>> embedded constants.
>>
>> I opened a bug against it years ago.  I looked at fixing it, but that
>> lead me into coercing python values into whatever the mysql client lib
>> does, and that is not something I should be doing.
>
>
> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>
> http://dev.mysql.com/doc/connector-python/en/
>
> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>
> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>
>



-- 
Carl K