How to properly parameterize query and escape inputs properly to prevent SQL injection?
Question
I'm using mysqlclient (fork of MySQLdb1 for python3) in Python 3.4.3, and according to what I've read online ( Escape string Python for MySQL ), MySQLdb Python queries should be written like this for proper escaping:
query = self.conn.cursor()
query.execute('SELECT 1 FROM servers WHERE ip=%s AND port=%s AND game_id=%s' ,(ip,port,gameid))
Unfortunately, when I do that, I get the following error:
unsupported operand type(s) for %: 'bytes' and 'tuple' mysqldb
This appears to work, but this could lead to SQL injection?
query = self.conn.cursor()
query.execute("SELECT 1 FROM servers WHERE ip='%s' AND port=%s AND game_id='%s'" % (ip,port,gameid))
So, how do I safely get the query above to work using the preferred syntax method that will escape it all for me in Python 3.4.3?
2 answers
solution1
0 ACCPTED 2019-03-23 04:44:36
I couldn't get mysqlclient (a fork of MySQLdb) https://pypi.org/project/mysqlclient/ to work with Python 3.4 with the proper SQL syntax (the syntax that escapes everything for you). I switched to mysql-connector, and the same query code now works fine. It looks like a bug in mysqlclient.
pip3 install mysql-connector-python
solution2
0 2019-03-23 04:53:57
mysqlclient-python doesn't support Python 3.4 anymore. Use newer Python.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.