MySQL parameterized queries

by

Beware of using string interpolation for SQL queries, since it won’t escape the input parameters correctly and will leave your application open to SQL injection vulnerabilities. The difference might seem trivial, but in reality it’s huge.

Incorrect (with security issues)

c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s" % (param1, param2))

Correct (with escaping)

c.execute("SELECT * FROM foo WHERE bar = %s AND baz = %s", (param1, param2))

It adds to the confusion that the modifiers used to bind parameters in a SQL statement varies between different DB API implementations and that the mysql client library uses printf style syntax instead of the more commonly accepted ‘?’ marker (used by eg. python-sqlite).

More Related Contents:

  1. Python read from txt and save into mysql
  2. PyInstaller, spec file, ImportError: No module named ‘blah’
  3. How to install Python MySQLdb module using pip?
  4. How to convert SQL Query result to PANDAS Data Structure?
  5. Escape string Python for MySQL
  6. pip install mysqlclient returns “fatal error C1083: Cannot open file: ‘mysql.h’: No such file or directory
  7. How do I get a raw, compiled SQL query from a SQLAlchemy expression?
  8. Load CSV data into MySQL in Python
  9. Enable Python to Connect to MySQL via SSH Tunnelling
  10. Inserting a Python datetime.datetime object into MySQL
  11. How to replace Django’s primary key with a different integer that is unique for that table
  12. MySQL — Joins Between Databases On Different Servers Using Python?
  13. Using a Python dict for a SQL INSERT statement
  14. Python Mysql, “commands out of sync; you can’t run this command now”
  15. How do I escape % from python mysql query
  16. Bulk insert with SQLAlchemy ORM
  17. RuntimeError: working outside of application context
  18. Why are some mysql connections selecting old data the mysql database after a delete + insert?
  19. ImportError: No module named MySQLdb
  20. Can’t install mysql-python (newer versions) in Windows
  21. Using Django database layer outside of Django?
  22. How to move a model between two Django apps (Django 1.7)
  23. How do i cast char to integer while querying in django ORM?
  24. flake8 complains on boolean comparison “==” in filter clause
  25. How do I get time from a datetime.timedelta object?
  26. Python issue:Unable to find vcvarsall.bat [duplicate]
  27. Print results in MySQL format with Python
  28. Context manager for Python’s MySQLdb
  29. Retrieve query results as dict in SQLAlchemy
  30. What is PyMySQL and how does it differ from MySQLdb? Can it affect Django deployment?

Leave a Comment