[DB-SIG] mysql module embeds params in command string

Michael Bayer mike_mp at zzzcomputing.com
Fri Jul 19 05:54:26 CEST 2013 

If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py"  module with a big "import MySQLdb" hardcoded into it.   We've supported many DBAPIs per database for so long I've forgotten about that old issue.

Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch.

On Jul 18, 2013, at 11:03 PM, Carl Karsten <carl at personnelware.com> wrote:

> Huh, I didn't know there were any other options.  I wonder why this says this:
> 
> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
> required for full MySQL support in Django.
> 
> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb
> 
> 
> 
> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>> 
>> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>> 
>>> I feel I need to post this now and then in hopes I find someone who
>>> can do something about it.  This might even be worth some PSF funding?
>>> 
>>> I am not a security expert, I am not qualified to asses the risk, it
>>> doesn't matter if I consider this a vulnerability.  That said, I know
>>> it is a problem that should be fixed.
>>> 
>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>>> self._query(query)
>>> 
>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>> 
>>> Yes: the mysql python module that everyone uses does string
>>> substitution to combine the command and parameters into a command with
>>> embedded constants.
>>> 
>>> I opened a bug against it years ago.  I looked at fixing it, but that
>>> lead me into coercing python values into whatever the mysql client lib
>>> does, and that is not something I should be doing.
>> 
>> 
>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>> 
>> http://dev.mysql.com/doc/connector-python/en/
>> 
>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>> 
>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>> 
>> 
> 
> 
> 
> -- 
> Carl K

More information about the DB-SIG mailing list