Carl Karsten wrote: > I feel I need to post this now and then in hopes I find someone who > can do something about it. This might even be worth some PSF funding? > > I am not a security expert, I am not qualified to asses the risk, it > doesn't matter if I consider this a vulnerability. That said, I know > it is a problem that should be fixed. > > query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) > self._query(query) > > http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 > > Yes: the mysql python module that everyone uses does string > substitution to combine the command and parameters into a command with > embedded constants. > > I opened a bug against it years ago. I looked at fixing it, but that > lead me into coercing python values into whatever the mysql client lib > does, and that is not something I should be doing.
As long as the encoders properly quote all parameter values, such an operation should be fine, but I agree: this would probably need an audit by a MySQL expert who has intimate knowledge about all the different quoting rules MySQL supports. Aside: I don't know anything about the MySQL client C API, but the above strikes me as a rather inefficient way of passing parameters to the database. Doesn't the MySQL client lib offer a way to send the SQL and the parameters as logically separate items to the database server ? -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ DB-SIG maillist - DB-SIG@python.org http://mail.python.org/mailman/listinfo/db-sig
