Programming Forums > Script Programming > Python

Sane · Nov 28th, 2007, 3:50 PM

I need to stop mysql injections in Python's mysql library. However, mysql_real_escape_string does not exist for Python's wrapper for MySQL. Therefore, I need to emulate the behaviour of PHP's mysql_real_escape_string.

Does this cover all the bases?

(Toggle Plain Text)

def mysql_real_escape_string(string):
    return string\
        .replace('\\', '\\\\')\
        .replace('"', '\\"')\
        .replace("'", "\\'")

(Toggle Plain Text)

mysql_real_escape_string("  ' or username is not null or username='  ")
mysql_real_escape_string('  " or username is not null or username="  ')
mysql_real_escape_string("  \\' or username is not null or username= \\' ")

(Toggle Plain Text)

  \' or username is not null or username=\'  
  \" or username is not null or username=\"  
  \\\' or username is not null or username= \\\'

Arevos · Nov 28th, 2007, 4:06 PM

You can stop SQL injections by using parameters, e.g:

(Toggle Plain Text)

cursor.execute("SELECT * FROM users WHERE login = '%s' AND passwd = '%s'", (login, passwd))

Sane · Nov 28th, 2007, 4:54 PM

I'll have to rework everything, but I guess it's better to use something tried and tested anyways. Thanks.

Nov 28th, 2007, 3:50 PM	#1
Sane Programming Guru Join Date: Apr 2005 Posts: 1,799 Rep Power: 5	Emulating Behaviour Of "mysql_real_escape_string" I need to stop mysql injections in Python's mysql library. However, mysql_real_escape_string does not exist for Python's wrapper for MySQL. Therefore, I need to emulate the behaviour of PHP's mysql_real_escape_string. Does this cover all the bases? (Toggle Plain Text) def mysql_real_escape_string(string): return string\ .replace('\\', '\\\\')\ .replace('"', '\\"')\ .replace("'", "\\'") def mysql_real_escape_string(string): return string\ .replace('\\', '\\\\')\ .replace('"', '\\"')\ .replace("'", "\\'") (Toggle Plain Text) mysql_real_escape_string(" ' or username is not null or username=' ") mysql_real_escape_string(' " or username is not null or username=" ') mysql_real_escape_string(" \\' or username is not null or username= \\' ") mysql_real_escape_string(" ' or username is not null or username=' ") mysql_real_escape_string(' " or username is not null or username=" ') mysql_real_escape_string(" \\' or username is not null or username= \\' ") (Toggle Plain Text) \' or username is not null or username=\' \" or username is not null or username=\" \\\' or username is not null or username= \\\' \' or username is not null or username=\' \" or username is not null or username=\" \\\' or username is not null or username= \\\'

Nov 28th, 2007, 4:06 PM	#2
Arevos Programming Guru Join Date: Aug 2005 Location: England Posts: 1,499 Rep Power: 4	Re: Emulating Behaviour Of "mysql_real_escape_string" You can stop SQL injections by using parameters, e.g: (Toggle Plain Text) cursor.execute("SELECT * FROM users WHERE login = '%s' AND passwd = '%s'", (login, passwd)) cursor.execute("SELECT * FROM users WHERE login = '%s' AND passwd = '%s'", (login, passwd))

Nov 28th, 2007, 4:54 PM	#3
Sane Programming Guru Join Date: Apr 2005 Posts: 1,799 Rep Power: 5	Re: Emulating Behaviour Of "mysql_real_escape_string" I'll have to rework everything, but I guess it's better to use something tried and tested anyways. Thanks.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
/usr/bin/ld: Undefined symbols	jubitzu	C++	9	Mar 8th, 2007 11:00 AM
RadioButtonList Strange Behaviour	Iftikhar	ASP.NET	0	Oct 27th, 2006 6:40 AM
Is this undefined behaviour?	InfoGeek	C++	26	Jun 27th, 2006 9:17 AM
Assigning an array of lists	deanosrs	C	42	Apr 13th, 2006 1:35 PM
Could some please explain classes to me...	TCStyle	C++	10	Feb 20th, 2006 3:51 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Script Programming > Python

Emulating Behaviour Of "mysql_real_escape_string"