Programming Forums

Programming Forums (http://www.programmingforums.org/forumindex.php)
-   Python (http://www.programmingforums.org/forum43.html)
-   -   Emulating Behaviour Of "mysql_real_escape_string" (http://www.programmingforums.org/showthread.php?t=14636)

Sane Nov 28th, 2007 4:50 PM
Emulating Behaviour Of "mysql_real_escape_string"
 
I need to stop mysql injections in Python's mysql library. However, mysql_real_escape_string does not exist for Python's wrapper for MySQL. Therefore, I need to emulate the behaviour of PHP's mysql_real_escape_string.

Does this cover all the bases?

:
def mysql_real_escape_string(string):
    return string\
        .replace('\\', '\\\\')\
        .replace('"', '\\"')\
        .replace("'", "\\'")

:
mysql_real_escape_string("  ' or username is not null or username='  ")
mysql_real_escape_string('  " or username is not null or username="  ')
mysql_real_escape_string("  \\' or username is not null or username= \\' ")

:
  \' or username is not null or username=\' 
  \" or username is not null or username=\" 
  \\\' or username is not null or username= \\\'

Arevos Nov 28th, 2007 5:06 PM
Re: Emulating Behaviour Of "mysql_real_escape_string"
 
You can stop SQL injections by using parameters, e.g:

:
cursor.execute("SELECT * FROM users WHERE login = '%s' AND passwd = '%s'", (login, passwd))

Sane Nov 28th, 2007 5:54 PM
Re: Emulating Behaviour Of "mysql_real_escape_string"
 
I'll have to rework everything, but I guess it's better to use something tried and tested anyways. Thanks.


All times are GMT -5. The time now is 3:20 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC