[DB-SIG] mysql module embeds params in command string

Carl Karsten carl at personnelware.com
Fri Jul 19 06:06:50 CEST 2013 

That 1/2 answers my question - and it sounds correct for what you are saying.

But I am wondering why they picked that one.    Yeah Yeah "Ask them"
is the obvious answer :)

I am also wondering why so many exist.  I would think after a year or
2 they would all merge together.  I have trouble trying to dream up 2
mutually exclusive features.

On Thu, Jul 18, 2013 at 10:54 PM, Michael Bayer
<mike_mp at zzzcomputing.com> wrote:
> If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py"  module with a big "import MySQLdb" hardcoded into it.   We've supported many DBAPIs per database for so long I've forgotten about that old issue.
>
> Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch.
>
> On Jul 18, 2013, at 11:03 PM, Carl Karsten <carl at personnelware.com> wrote:
>
>> Huh, I didn't know there were any other options.  I wonder why this says this:
>>
>> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
>> required for full MySQL support in Django.
>>
>> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb
>>
>>
>>
>> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>>>
>>> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>>>
>>>> I feel I need to post this now and then in hopes I find someone who
>>>> can do something about it.  This might even be worth some PSF funding?
>>>>
>>>> I am not a security expert, I am not qualified to asses the risk, it
>>>> doesn't matter if I consider this a vulnerability.  That said, I know
>>>> it is a problem that should be fixed.
>>>>
>>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>>>> self._query(query)
>>>>
>>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>>>
>>>> Yes: the mysql python module that everyone uses does string
>>>> substitution to combine the command and parameters into a command with
>>>> embedded constants.
>>>>
>>>> I opened a bug against it years ago.  I looked at fixing it, but that
>>>> lead me into coercing python values into whatever the mysql client lib
>>>> does, and that is not something I should be doing.
>>>
>>>
>>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>>>
>>> http://dev.mysql.com/doc/connector-python/en/
>>>
>>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>>>
>>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>>>
>>>
>>
>>
>>
>> --
>> Carl K
>



-- 
Carl K

More information about the DB-SIG mailing list