Fixing SQL Injection With _mysql

Question

I just found out that the way I am using _mysql is causing a major SQL Injection problem.

My current code looks like:

db = _mysql.connect('', 'user', 'pass', 'db')
query = """SELECT * FROM stuff WHERE thing="{0}" """.format(user_input)
cur.query(query)

What am I doing wrong and how can I fix it so that it is safe?

I have tried using _mysql.escape_string() but that still returns an SQL syntax error.

Well... You need to educate yourself. This seems like acceptable source: <dev.mysql.com/tech-resources/articles/…>. — PM 77-1
– PM 77-1, Commented Mar 11, 2013 at 0:41
SQL Injection Vulnerability has nothing to do with syntax errors. Please clarify your exact question. — PM 77-1
– PM 77-1, Commented Mar 11, 2013 at 0:43

Explosion Pills · Accepted Answer · 2013-03-11 00:42:20Z

2

You can use MySQLdb on its own:

conn = MySQLdb.connect();
curs = conn.cursor();
curs.execute("SELECT * FROM stuff WHERE thing = %s", (user_input));

If you want to stick with _mysql, use db.escape_string(user_input).

answered Mar 11, 2013 at 0:42

Explosion Pills

192k56 gold badges341 silver badges417 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

I decided to just use MongoDB instead.

Robert H · Accepted Answer · 2013-03-11 00:49:43Z

2

A nice handy reference is available via the bobby tables website.

You may also find value in In this powerpoint reference which shows some examples of sql injection as well as possible ways to mitigate the issue.

answered Mar 11, 2013 at 0:44

Robert H

11.7k19 gold badges72 silver badges112 bronze badges