0

I'm working on a project in Python with MySQLdb. As part of this, I'm moving user details, including salted passwords from one system that generates them to a new one that simply uses them.

Single, double or triple quotes can delineate your string start and end. However, single and double quotes are part of several hashes in the 4.5k or so users I'm migrating. Both tokens appear in about 450 of those salts.

An edited version of the code is as follows

Django.execute ('INSERT INTO auth_user (password) VALUES ("' + user.password + '")')

I have tried swapping between the quote type used in this database cursor object, as and when either quote type or the other are detected, but this still leaves the 150 or so that contain both.

What work arounds can I use for this?

I have tried triple quotes, but they throw a programming error on the cursor object.

Thanks in advance

S.Lott
  • 384,516
  • 81
  • 508
  • 779
Philip Mais
  • 299
  • 1
  • 3
  • 4
  • Have you tried using prepared statements? See [this question](http://stackoverflow.com/questions/1947750/does-python-support-mysql-prepared-statements) – The Scrum Meister Feb 15 '11 at 23:04

1 Answers1

2

Query parameters should provide all the proper escaping, for example:

cursor.execute('INSERT INTO auth_user (password) VALUES (%s)', [password])

From the Django docs at: http://docs.djangoproject.com/en/dev/topics/db/sql/

If you're not familiar with the Python DB-API, note that the SQL statement in cursor.execute() uses placeholders, "%s", rather than adding parameters directly within the SQL. If you use this technique, the underlying database library will automatically add quotes and escaping to your parameter(s) as necessary. (Also note that Django expects the "%s" placeholder, not the "?" placeholder, which is used by the SQLite Python bindings. This is for the sake of consistency and sanity.)

payne
  • 13,833
  • 5
  • 42
  • 49