Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

pymssql and placeholders

What placeholders can I use with pymssql. I'm getting my values from the html query string so they are all of type string. Is this safe with regard to sql injection?

query = dictify_querystring(Response.QueryString)
employeedata = conn.execute_row("SELECT * FROM employees WHERE company_id=%s and name = %s", (query["id"], query["name"]))  

What mechanism is being used in this case to avoid injections?

There isn't much in the way of documentation for pymssql...

Maybe there is a better python module I could use to interface with Sql Server 2005.

Thanks,

Barry

like image 941
Baz Avatar asked Mar 13 '12 18:03

Baz


People also ask

How do I use pymssql scripts?

Example scripts using pymssql module. When connecting using Windows Authentication, this is how to combine the database’s hostname and instance name, and the Active Directory/Windows Domain name and the username. This example uses raw strings ( r'...') for the strings that contain a backslash. You can also use iterators instead of while loop.

What are placeholders in a SQL query?

Some APIs provide an alternative that allows you to specify query strings that do not include literal data values. Using this approach, you write the statement using placeholders—special characters that indicate where the values go. One common placeholder character is ?, so the previous queries might be rewritten to use placeholders like this:

How to retrieve a result set from a query in pymssql?

The pymssql.connect function is used to connect to SQL Database. The cursor.execute function can be used to retrieve a result set from a query against SQL Database. This function essentially accepts any query and returns a result set, which can be iterated over with the use of cursor.fetchone ().

How to call stored procedures in pymssql context manager?

The context manager personality of connections and cursor is a pymssql extension to the DB-API. As of pymssql 2.0.0 stored procedures can be called using the rpc interface of db-lib. New in version 2.1.0. You can use the pymssql.set_wait_callback () function to install a callback function you should write yourself.


1 Answers

Regarding SQL injection, and not knowing exactly how that implementation works, I would say that's not safe.

Some simple steps to make it so:

  1. Change that query into a prepared statement (or make sure the implementation internally does so, but doesn't seem like it).

  2. Make sure you use ' around your query arguments.

  3. Validate the expected type of your arguments (if request parameters that should be numeric are indeed numeric, etc).

Mostly... number one is the key. Using prepared statements is the most important and probably easiest line of defense against SQL injection.

Some ORM's take care of some of these issues for you (notice the ample use of the word some), but I would advise making sure you know these problems and how to work around them before using an abstraction like an ORM.

Sooner or later, you need to know what's going on under those wonderful layers of time-saving.

like image 88
pcalcao Avatar answered Sep 19 '22 00:09

pcalcao