Skip to content Skip to sidebar Skip to footer
Home / Mysql / Python / Security / Sql / Sql Injection

Python Mysql, Is This A Prepared Statement?

Post a Comment
I am setting up a mysql app. This is my getUsername method connects using standard mysqldb formatting. Does this mean it is a prepared statement? Also, is this code safe, or am I

Solution 1:

No - there is no way to make a prepared statement in MySQLdb. You won't find any mysql_stmt_init(), mysql_stmt_prepare() or mysql_stmt_execute() in the MySQL API binding in _mysql.c.

For whatever reason, the author of MySQLdb chose to simulate parameters instead of using real server-side prepared statements.

To protect against SQL injection, the MySQLdb package uses Python string-format syntax. It interpolates dynamic values into SQL queries and applies correct escaping, i.e. adding \ before quote characters to make sure dynamic values don't contain string delimiters.

See my answer to How do PyMySQL prevent user from sql injection attack? for a demonstration.

However, escaping doesn't help if you need to use dynamic values for numeric constants.

Post a Comment for "Python Mysql, Is This A Prepared Statement?"