Huh, I didn't know there were any other options. I wonder why this says this:
MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is required for full MySQL support in Django. https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike...@zzzcomputing.com> wrote: > > On Jul 18, 2013, at 9:38 AM, Carl Karsten <c...@personnelware.com> wrote: > >> I feel I need to post this now and then in hopes I find someone who >> can do something about it. This might even be worth some PSF funding? >> >> I am not a security expert, I am not qualified to asses the risk, it >> doesn't matter if I consider this a vulnerability. That said, I know >> it is a problem that should be fixed. >> >> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args ) >> self._query(query) >> >> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185 >> >> Yes: the mysql python module that everyone uses does string >> substitution to combine the command and parameters into a command with >> embedded constants. >> >> I opened a bug against it years ago. I looked at fixing it, but that >> lead me into coercing python values into whatever the mysql client lib >> does, and that is not something I should be doing. > > > Not like this shouldn't be fixed, but also in theory, people would be moving > to MySQL Connector/Python, seeing as it's the Python driver that's actually > advertised on the MySQL site and also runs in Python 3: > > http://dev.mysql.com/doc/connector-python/en/ > > I haven't looked at its source, and it did take a long time for this driver > to be usable, but recent versions seem to work well. It's worth seeing > what approach it takes to bound parameters internally. > > Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql. > I've tested all of these and they all work pretty well. > > -- Carl K _______________________________________________ DB-SIG maillist - DB-SIG@python.org http://mail.python.org/mailman/listinfo/db-sig
