MySQLdb escaping example incorrect
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
| OpenStack Security Notes |
New
|
Low
|
Joshua Padman | ||
Bug Description
The following web page provides information for securing sql queries using parameterized queries.
https:/
The first "correct" example under MySQL is incorrect. Firstly, it escapes the entire query which would lead to it being invalid SQL. Secondly, it isn't a real parameterised query.
import MySQLdb
query = "select username from users where username = '%s'" % name
con = MySQLdb.
with con:
cur = con.cursor()
cur.
There are three ways I can see to fix this, my preference is 2:
1. Modify the example as follows - escaping the user input only:
import MySQLdb
query = "select username from users where username = '%s'" % MySQLdb.
con = MySQLdb.
with con:
cur = con.cursor()
cur.
2. Do step option 1, plus note that this is still not ideal and that the second example is the actual "correct" parameterised query example.
3. Remove this example from the documentation.
This was bought to my attention by a friend sneakerhax.
| Tristan Cacqueray (tristan-cacqueray) wrote | #1 |
| Changed in ossa: | |
| status: | New → Won't Fix |
| Joshua Padman (jpadman) wrote | #2 |
| Joshua Padman (jpadman) wrote | #3 |
| Joshua Padman (jpadman) wrote | #4 |
| Changed in ossn: | |
| assignee: | nobody → Joshua Padman (jpadman) |
| importance: | Undecided → Low |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on ossa (master) | #5 |
Thanks for the report. I've assigned it to the OSSN project, which seems like the group owning the security guidelines.