Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggest oursql instead of MySQLdb for Python #54

Open
joepie91 opened this issue Mar 2, 2015 · 2 comments
Open

Suggest oursql instead of MySQLdb for Python #54

joepie91 opened this issue Mar 2, 2015 · 2 comments

Comments

@joepie91
Copy link

joepie91 commented Mar 2, 2015

MySQLdb doesn't actually do parameterized queries, but simply quietly escapes and interpolates the passed-in values behind the scenes. This means that under certain (encoding) circumstances, it could be vulnerable to SQL injection.

oursql has actual parameterization, and should probably be recommended for MySQL instead.
@petdance
Copy link
Owner

petdance commented Mar 3, 2015

Could you write up an example? I know nothing of Python, so rely on readers to do the coding for me on things like this.

@joepie91
Copy link
Author

joepie91 commented Mar 3, 2015

It is effectively the same as the MySQLdb module API-wise (they are both DB-API compliant), they just work differently in the background. oursql speaks the binary protocol (allowing for actual parameterization), whereas MySQLdb escapes the parameters and interpolates (presumably using the older protocol). The example therefore shouldn't really need changing.

That being said, it does use a different parameter style from MySQLdb:

>>> import oursql; print oursql.paramstyle
qmark

Thus the last sentence probably also needs changing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petdance @joepie91