[DB-SIG] mysql module embeds params in command string

Michael Bayer mike_mp at zzzcomputing.com
Fri Jul 19 16:53:54 CEST 2013 

On Jul 19, 2013, at 12:06 AM, Carl Karsten <carl at personnelware.com> wrote:

> That 1/2 answers my question - and it sounds correct for what you are saying.
> 
> But I am wondering why they picked that one.    Yeah Yeah "Ask them"
> is the obvious answer :)

oh, well MySQLdb has been around way longer than all the others.   Four (maybe even two or three) years ago all those other drivers didn't exist yet.


> 
> I am also wondering why so many exist.  I would think after a year or
> 2 they would all merge together.
>  I have trouble trying to dream up 2
> mutually exclusive features.

my impression is that none of them are really targeting features, they are all targeting implementations.  OurSQL uses a different set of MySQL APis internally (I don't know the details) which supposedly grants significant performance increases.   PyMySQL targets the "written in pure Python crowd", i.e. no C code, I guess for Pypy, easier builds on windows.   MySQL-connector-Python I'm not as sure about, it seems to be related to the MySQL project itself and maybe is some kind of attempt to write the code differently, not sure, and cymysql I only know about because the guy's been emailing me dialect updates, it uses Cython, so I imagine the idea there is that it's written in C but is easier to develop and maintain vs. a "raw C" implementation.





> 
> On Thu, Jul 18, 2013 at 10:54 PM, Michael Bayer
> <mike_mp at zzzcomputing.com> wrote:
>> If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py"  module with a big "import MySQLdb" hardcoded into it.   We've supported many DBAPIs per database for so long I've forgotten about that old issue.
>> 
>> Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch.
>> 
>> On Jul 18, 2013, at 11:03 PM, Carl Karsten <carl at personnelware.com> wrote:
>> 
>>> Huh, I didn't know there were any other options.  I wonder why this says this:
>>> 
>>> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
>>> required for full MySQL support in Django.
>>> 
>>> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb
>>> 
>>> 
>>> 
>>> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>>>> 
>>>> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>>>> 
>>>>> I feel I need to post this now and then in hopes I find someone who
>>>>> can do something about it.  This might even be worth some PSF funding?
>>>>> 
>>>>> I am not a security expert, I am not qualified to asses the risk, it
>>>>> doesn't matter if I consider this a vulnerability.  That said, I know
>>>>> it is a problem that should be fixed.
>>>>> 
>>>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>>>>> self._query(query)
>>>>> 
>>>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>>>> 
>>>>> Yes: the mysql python module that everyone uses does string
>>>>> substitution to combine the command and parameters into a command with
>>>>> embedded constants.
>>>>> 
>>>>> I opened a bug against it years ago.  I looked at fixing it, but that
>>>>> lead me into coercing python values into whatever the mysql client lib
>>>>> does, and that is not something I should be doing.
>>>> 
>>>> 
>>>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>>>> 
>>>> http://dev.mysql.com/doc/connector-python/en/
>>>> 
>>>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>>>> 
>>>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> Carl K
>> 
> 
> 
> 
> -- 
> Carl K

More information about the DB-SIG mailing list