romainnorberg/python_mysql_avoid_injection.py

## readme.md

      
    Raw
  

              readme.md
            
          
    Blog post: https://blog.romainnorberg.be/post/python-avoid-sql-injection-when-using-mysqlcursor-execute

  
## python_mysql_avoid_injection.py
import mysql.connector as mdb

con = mdb.connect(
    host='127.0.0.1',
    port=3306,
    user='root',
    passwd='rootroot',
    db='db', charset='utf8'
)

cur = con.cursor(dictionary=True)

# Injection work using cursor.execute(sql)
id = '1 OR 1=1'

cur.execute("SELECT * FROM user WHERE id=%s" % (id,))
result = cur.fetchall()

print("%d results !" % len(result)) # X results !

# Injection doesn't work using cursor.execute(sql, (val1, val2))
id = '1 OR 1=1'

cur.execute("SELECT * FROM user WHERE id=%s", (id,))
result = cur.fetchall()

print("%d result ✋" % len(result)) # 1 result ✋
	import mysql.connector as mdb

	con = mdb.connect(
	host='127.0.0.1',
	port=3306,
	user='root',
	passwd='rootroot',
	db='db', charset='utf8'
	)

	cur = con.cursor(dictionary=True)

	# Injection work using cursor.execute(sql)
	id = '1 OR 1=1'

	cur.execute("SELECT * FROM user WHERE id=%s" % (id,))
	result = cur.fetchall()

	print("%d results !" % len(result)) # X results !

	# Injection doesn't work using cursor.execute(sql, (val1, val2))
	id = '1 OR 1=1'

	cur.execute("SELECT * FROM user WHERE id=%s", (id,))
	result = cur.fetchall()

	print("%d result ✋" % len(result)) # 1 result ✋