Prevent sql injection in python using cursor.execute correctly

Today I did some searching about how to prevent sql injection while using Python and MySQLdb. Then I found some links with tips and also did some experiment and found something interesting.

Usually I used to write mysql query in python this way:

query = ".."
cursor.execute(query)

But it can't prevent sql injection. Check this example: (It will be better if you create a table named user_info with the fields: id, name, email and populate the table with some data.)

import MySQLdb

try:
    conn = MySQLdb.connect (host = "localhost",
    user = "uname",
    passwd = "pass",
    db = "mydb")
    cursor = conn.cursor()
    
    email = "' OR '1'='1"
    query = "SELECT * FROM user_info WHERE email = '" + email + "'"
    print query
    cursor.execute(query)
    
    if cursor.rowcount > 0:
        print cursor.fetchall()
    else:
        print "no item found"
        
except MySQLdb.Error, e:
    print "Error %d: %s" % (e.args[0], e.args[1])

It will show all records from user_info table! Because the query SELECT * FROM user_info WHERE email = '' OR '1'='1' gets executed.

Now if you run the following code this won't happen:

import MySQLdb

try:
    conn = MySQLdb.connect (host = "localhost",
    user = "uname",
    passwd = "pass",
    db = "mydb")
    cursor = conn.cursor()

    email = "' OR '1'='1"
    
    cursor.execute("SELECT * FROM user_info WHERE email = %s", email)
    
    if cursor.rowcount > 0:
        print cursor.fetchall()
    else:
        print "no item found"
        
except MySQLdb.Error, e:
    print "Error %d: %s" % (e.args[0], e.args[1])

It displays "no item found". It is secured as it lets the MySQLdb library to handle the necessary checking. Here is the format:

cursor.execute("... %s ...%s", (param1, param2))

Do you have any more suggestion to prevent sql injection while coding in Python thus improving security?

Comments

Aydın Şen said…
if you use mysqldb directly %s is the right way to escape injections in pure sql, but generally i suggest to use an orm (like sqlalchemy) for general security, modularity and usability purpose.
September 2, 2010 at 3:09 AM
suresh666 said…
very interesting blog posts.informative and very helpful.this is one of the recommended blog for learners.thank you for providing such nice piece of articles.i am very glad to leave a comment.hope we expect more articles best regards from rstrainings

September 14, 2016 at 12:20 PM
Post a Comment

Popular posts from this blog

Strip HTML tags using Python

We often need to strip HTML tags from string (or HTML source). I usually do it using a simple regular expression in Python. Here is my function to strip HTML tags: def remove_html_tags(data): p = re.compile(r'<.*?>') return p.sub('', data) Here is another function to remove more than one consecutive white spaces: def remove_extra_spaces(data): p = re.compile(r'\s+') return p.sub(' ', data) Note that re module needs to be imported in order to use regular expression. Here you can find an updated code that gets the text from html: http://love-python.blogspot.com/2011/04/html-to-text-in-python.html
Read more

lambda magic to find prime numbers

Find prime number up to 100 with just 3 lines of code. The 4th line is for printing ;) nums = range(2, 100) for i in range(2, 10):     nums = filter(lambda x: x == i or x % i, nums) print nums Isn't it amazing? Check my new post about Prime number: http://love-python.blogspot.com/2010/11/prime-number-generator-in-python-using.html
Read more

Convert text to ASCII and ASCII to text - Python code

Python has a very simple way to convert text to ASCII and ASCII to text. To find the ASCII value of a character use the ord() function. Example: >>> ord('B') 66 To get a character from it's ASCII value use the chr() function. Example: >>> chr(65) 'A' Here is a program to get the list of all characters along with their values: # program to print the list of characters and their ASCII values for value in range(0, 255): print "ASCII Value:", value, "\t", "Character:", chr(value), "\n" Here is another simple ASCII encoding-decoding program: # Convertion from text to ASCII codes message = raw_input("Enter message to encode: ") print "Decoded string (in ASCII):" for ch in message: print ord(ch), print "\n\n" # Convertion from ASCII codes to text message = raw_input("Enter ASCII codes: ") decodedMessage = "" for item in message.split(): decodedMessage += chr
Read more