Max00355
Reputation: 867
Fixing SQL Injection With _mysql
I just found out that the way I am using _mysql is causing a major SQL Injection problem.
My current code looks like:
db = _mysql.connect('', 'user', 'pass', 'db')
query = """SELECT * FROM stuff WHERE thing="{0}" """.format(user_input)
cur.query(query)
What am I doing wrong and how can I fix it so that it is safe?
I have tried using _mysql.escape_string() but that still returns an SQL syntax error.
Upvotes: 0
Views: 1200
Answers (2)
Robert H
Reputation: 11730
A nice handy reference is available via the bobby tables website.
You may also find value in In this powerpoint reference which shows some examples of sql injection as well as possible ways to mitigate the issue.
Upvotes: 2
Explosion Pills
Reputation: 191749
You can use MySQLdb on its own:
conn = MySQLdb.connect();
curs = conn.cursor();
curs.execute("SELECT * FROM stuff WHERE thing = %s", (user_input));
If you want to stick with _mysql, use db.escape_string(user_input).
Documentation: http://mysql-python.sourceforge.net/MySQLdb.html
Upvotes: 2
Related Questions
- INSERT INTO via SQLAlchemy/MySQL doesn't work when executed with parameters
- Python cursor.execute() with MySQL UPDATE causes syntax error
- Preventing SQL Injection for online SQL querying
- Python MySQLdb - Programming Around SQL Injection Code
- Flask Python: MySQLdb, %s unable to access database (to prevent SQL injection)
- How to remove single quotes around variables when doing mysql queries in Python?
- python flask SQLAlchemy insert data into mysql
- flask-mysql ProgrammingError: not all arguments converted during string formatting
- Error 1064 sql syntax error
- MySQL insert query - FLASK