I feel I need to post this now and then in hopes I find someone who can do something about it. This might even be worth some PSF funding?
I am not a security expert, I am not qualified to asses the risk, it doesn't matter if I consider this a vulnerability. That said, I know it is a problem that should be fixed. query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) self._query(query) http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 Yes: the mysql python module that everyone uses does string substitution to combine the command and parameters into a command with embedded constants. I opened a bug against it years ago. I looked at fixing it, but that lead me into coercing python values into whatever the mysql client lib does, and that is not something I should be doing. -- Carl K _______________________________________________ DB-SIG maillist - DB-SIG@python.org http://mail.python.org/mailman/listinfo/db-sig
