tags:

views:

1102

answers:

2
+4  Q: 

imploding a list for use in a python MySQLDB IN clause

I know how to map a list to a string:

foostring = ",".join( map(str, list_of_ids) )

And I know that I can use the following to get that string into an IN clause:

cursor.execute("DELETE FROM foo.bar WHERE baz IN ('%s')" % (foostring))

What I need is to accomplish the same thing SAFELY (avoiding SQL injection) using MySQLDB. In the above example because foostring is not passed as an argument to execute, it is vulnerable. I also have to quote and escape outside of the mysql library.

(There is a related SO question, but the answers listed there either do not work for MySQLDB or are vulnerable to SQL injection.)

+12  A: 

Use the list_of_ids directly:

format_strings = ','.join(['%s'] * len(list_of_ids))
cursor.execute("DELETE FROM foo.bar WHERE baz IN (%s)" % format_strings,
                tuple(list_of_ids))

That way you avoid having to quote yourself, and avoid all kinds of sql injection.

Note that the data (list_of_ids) is going directly to mysql's driver, as a parameter (not in the query text) so there is no injection. You can leave any chars you want in the string, no need to remove or quote chars.

nosklo  2009-02-26 06:46:38
Why quote the %s in the format_strings? Won't this be handled by the .execute() method, too?
unbeknown  2009-02-26 09:07:07
@heikogerlach: I am not quoting the %s... The first line creates a string of "%s,%s,%s"... the same size of list_of_ids length.
nosklo  2009-02-26 11:22:17
Argh, you're right. Need to look harder. Somehow I mixed it up. Nice solution, though.
unbeknown  2009-02-26 13:21:03
A: 

Did somebody take a look on MySQLdb source code? If not I suggest you to look at it - mainly because MySQLdb create the query on the client side and doesn't pass parameters to the server!

So it doesn't matter how you use it your code is vulnerable!

 2009-09-21 18:26:06
Really? That must suck. Let me check... (checks) ... huh, not really - `.execute()` method actually passes the argument list through an encoder http://mysql-python.svn.sourceforge.net/viewvc/mysql-python/trunk/MySQLdb/MySQLdb/converters.py?view=markup so you're safe. It sucks that the mysql server itself doesn't do that, but that is a mysql driver detail - you shouldn't do the interpolation yourself anyway, if you change drivers things can be different under the hood.
nosklo  2009-10-29 10:42:43

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL