Suggest oursql instead of MySQLdb for Python

Question

Suggest oursql instead of MySQLdb for Python

Opened this issue 10 years ago · 2 comments

MySQLdb doesn't actually do parameterized queries, but simply quietly escapes and interpolates the passed-in values behind the scenes. This means that under certain (encoding) circumstances, it could be vulnerable to SQL injection.

oursql has actual parameterization, and should probably be recommended for MySQL instead.

Answer 1 · 2015-03-03T02:38:44.000Z

Could you write up an example? I know nothing of Python, so rely on readers to do the coding for me on things like this.

Answer 2 · 2015-03-03T23:27:52.000Z

It is effectively the same as the MySQLdb module API-wise (they are both DB-API compliant), they just work differently in the background. oursql speaks the binary protocol (allowing for actual parameterization), whereas MySQLdb escapes the parameters and interpolates (presumably using the older protocol). The example therefore shouldn't really need changing.

That being said, it does use a different parameter style from MySQLdb:

>>> import oursql; print oursql.paramstyle
qmark

Thus the last sentence probably also needs changing.