Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I escape the input to a MySQL db in Python3?

Tags:

sql

python-3.x

mysql

pymysql

How can I escape the input to a MySQL db in Python3? I'm using PyMySQL and works fine, but when I try to do something like:

cursor.execute("SELECT * FROM `Codes` WHERE `ShortCode` =  '{}'".format(request[1]))

it won't work if the string has ' or ". I also tried:

cursor.execute("SELECT * FROM `Codes` WHERE `ShortCode` =  %s",request[1])

The problem with this is that the library (PyMySQL) uses the formatting syntax for Python2.x, %, that doesn't work anymore. I also found this possible solution

conn.escape_string()

in here, but I don't know where to add this code. This is all I got:

import pymysql
import sys
conn = pymysql.connect( host   = "localhost",
            user   = "test",
            passwd = "",
            db     = "test")
cursor = conn.cursor()
cursor.execute("SELECT * FROM `Codes` WHERE `ShortCode` =  {}".format(request[1]))

result = cursor.fetchall()

cursor.close()
conn.close()

Edit: I solved it! In PyMySQL the right way is like this:

import pymysql
import sys
conn = pymysql.connect(host="localhost",
            user="test",
            passwd="",
            db="test")
cursor = conn.cursor()
text = conn.escape(request[1])
cursor.execute("SELECT * FROM `Codes` WHERE `ShortCode` =  {}".format(text))

cursor.close()
conn.close()

Where the text = conn.escape(request[1]) line is what escapes the code. Found it inside PyMySQL code. There, request[1] is the input.

like image 990
user1460016 Avatar asked Jul 06 '12 13:07

user1460016

2 Answers

Although the "solved" answer works, it is not best practice. When using a library conforming to the Python DBI, you should be using bind variables rather than formatting a string and passing it to execute. There are dangers inherent in that methodology.

Therefore, this is the right way to do it:

cursor.execute("SELECT * FROM `Codes` WHERE `ShortCode` = %s", text)

Note that this is not a format string but a bind variable passed to the executing cursor.

For details: Python DBI PEP

like image 60
rootsmith Avatar answered Oct 28 '22 08:10

rootsmith

Solved. In PyMySQL the right way is like this:

import pymysql
import sys
conn = pymysql.connect(host="localhost",
            user="test",
            passwd="",
            db="test")
cursor = conn.cursor()
text = conn.escape(request[1])
cursor.execute("SELECT * FROM `Codes` WHERE `ShortCode` =  {}".format(text))

cursor.close()
conn.close()

Where the text = conn.escape(request[1]) line is what escapes the code. Found it inside PyMySQL code. There, request[1] is the input.

like image 3
user1460016 Avatar answered Oct 28 '22 09:10

user1460016
Sign in to Comment

Related questions

MySQL convert YEARWEEK to date
WAMP server switch MySQL to MariaDB
What's the best way to search a MySQL database with PHP?
MySQL: How to determine foreign key relationships programmatically?
wamp cannot load mysqli extension
Trying to add 1 to current field value with MySQL, but can't figure out what's wrong with my syntax
Mysql SUM with case statement
Mysql left/inner join combination not working as expected
remove duplicate rows based on one column value
Convert Date to Milliseconds in MySQL
PyMySQL Insert NULL or a String
Hibernate 5 :- org.hibernate.MappingException: Unknown entity
Laravel SQLSTATE[HY000] [1049] Unknown database 'previous_db_name'
SQLSTATE[01000]: Warning: 1265 Data truncated for column
docker-compose : The server requested authentication method unknown to the client
MySQLNonTransientConnectionException: Client does not support authentication protocol requested by server; consider upgrading MySQL client [duplicate]
SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost' (using password: NO) . DB_HOST set to localhost
Selecting Random Rows in MySQL
MYSQL update query to remove spaces
How to define a "unique" constraint on a column of MySQL table in Ruby on Rails 3?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!