From israel_tecinf at ibest.com.br  Thu Jul 18 06:56:42 2013
From: israel_tecinf at ibest.com.br (ISRAEL DA-COSTA-HOMEM)
Date: Thu, 18 Jul 2013 01:56:42 -0300
Subject: [DB-SIG] PEP 249
Message-ID: <CALj1eJLf0amVsOsFBW2xb3jiEKzMUx4fnRA9p5N7_aowZaumuA@mail.gmail.com>

Good night,

I installed 2.0 pymssql this link http://www.lfd.uci.edu/ ~ Gohlke /
pythonlibs / # pymssql, but the following error occurred below. I
uninstalled and installed version pymssql 1.0.2 which worked perfectly.
What might have gone wrong?

My py is 2.7.3. If I install using pip also have the same problem.
I use Sql Server  2008 R2 and IDLE.



Traceback (most recent call last):
  File "C:\Users\Israel\Desktop\local_sql.py", line 4, in <module>
    con = pymssql.connect(host = 'localhost', user = 'sa', password = 'sa',
database = 'teste_db')
  File "pymssql.pyx", line 556, in pymssql.connect (pymssql.c:7990)
    raise OperationalError(e[0])
OperationalError: (20009, 'Net-Lib error during Unknown error')



Thanks in advance.

-- 
*Israel Homem*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/db-sig/attachments/20130718/0f9e2f8c/attachment.html>

From mal at egenix.com  Thu Jul 18 09:24:22 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 18 Jul 2013 09:24:22 +0200
Subject: [DB-SIG] pymssql error (was: PEP 249)
In-Reply-To: <CALj1eJLf0amVsOsFBW2xb3jiEKzMUx4fnRA9p5N7_aowZaumuA@mail.gmail.com>
References: <CALj1eJLf0amVsOsFBW2xb3jiEKzMUx4fnRA9p5N7_aowZaumuA@mail.gmail.com>
Message-ID: <51E79826.4080308@egenix.com>

On 18.07.2013 06:56, ISRAEL DA-COSTA-HOMEM wrote:
> Good night,
> 
> I installed 2.0 pymssql this link http://www.lfd.uci.edu/ ~ Gohlke /
> pythonlibs / # pymssql, but the following error occurred below. I
> uninstalled and installed version pymssql 1.0.2 which worked perfectly.
> What might have gone wrong?
> 
> My py is 2.7.3. If I install using pip also have the same problem.
> I use Sql Server  2008 R2 and IDLE.
> 
> 
> 
> Traceback (most recent call last):
>   File "C:\Users\Israel\Desktop\local_sql.py", line 4, in <module>
>     con = pymssql.connect(host = 'localhost', user = 'sa', password = 'sa',
> database = 'teste_db')
>   File "pymssql.pyx", line 556, in pymssql.connect (pymssql.c:7990)
>     raise OperationalError(e[0])
> OperationalError: (20009, 'Net-Lib error during Unknown error')

It usually helps searching the net for the error string :-)

http://code.google.com/p/pymssql/issues/detail?id=74
http://pyyou.wordpress.com/2009/02/01/install-pymssql-and-how-to-deal-with-db-lib-error-message-20009-severity-9/
http://stackoverflow.com/questions/15706078/pymssql-python-connection-string

If one of those links don't help, I'd suggest contacting the
package author or filing a bug report.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jul 18 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From carl at personnelware.com  Thu Jul 18 15:38:24 2013
From: carl at personnelware.com (Carl Karsten)
Date: Thu, 18 Jul 2013 08:38:24 -0500
Subject: [DB-SIG] mysql module embeds params in command string
Message-ID: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>

I feel I need to post this now and then in hopes I find someone who
can do something about it.  This might even be worth some PSF funding?

I am not a security expert, I am not qualified to asses the risk, it
doesn't matter if I consider this a vulnerability.  That said, I know
it is a problem that should be fixed.

 query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
 self._query(query)

http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185

Yes: the mysql python module that everyone uses does string
substitution to combine the command and parameters into a command with
embedded constants.

I opened a bug against it years ago.  I looked at fixing it, but that
lead me into coercing python values into whatever the mysql client lib
does, and that is not something I should be doing.


-- 
Carl K

From mal at egenix.com  Thu Jul 18 15:55:42 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 18 Jul 2013 15:55:42 +0200
Subject: [DB-SIG] mysql module embeds params in command string
In-Reply-To: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
References: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
Message-ID: <51E7F3DE.1080309@egenix.com>

Carl Karsten wrote:
> I feel I need to post this now and then in hopes I find someone who
> can do something about it.  This might even be worth some PSF funding?
> 
> I am not a security expert, I am not qualified to asses the risk, it
> doesn't matter if I consider this a vulnerability.  That said, I know
> it is a problem that should be fixed.
> 
>  query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>  self._query(query)
> 
> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
> 
> Yes: the mysql python module that everyone uses does string
> substitution to combine the command and parameters into a command with
> embedded constants.
> 
> I opened a bug against it years ago.  I looked at fixing it, but that
> lead me into coercing python values into whatever the mysql client lib
> does, and that is not something I should be doing.

As long as the encoders properly quote all parameter values,
such an operation should be fine, but I agree: this would
probably need an audit by a MySQL expert who has intimate
knowledge about all the different quoting rules MySQL supports.

Aside: I don't know anything about the MySQL client C API,
but the above strikes me as a rather inefficient way of passing
parameters to the database. Doesn't the MySQL client lib offer
a way to send the SQL and the parameters as logically
separate items to the database server ?

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From mike_mp at zzzcomputing.com  Thu Jul 18 16:08:25 2013
From: mike_mp at zzzcomputing.com (Michael Bayer)
Date: Thu, 18 Jul 2013 10:08:25 -0400
Subject: [DB-SIG] mysql module embeds params in command string
In-Reply-To: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
References: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
Message-ID: <E0396791-A980-4507-A5AC-8C13F2F91BC2@zzzcomputing.com>


On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:

> I feel I need to post this now and then in hopes I find someone who
> can do something about it.  This might even be worth some PSF funding?
> 
> I am not a security expert, I am not qualified to asses the risk, it
> doesn't matter if I consider this a vulnerability.  That said, I know
> it is a problem that should be fixed.
> 
> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
> self._query(query)
> 
> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
> 
> Yes: the mysql python module that everyone uses does string
> substitution to combine the command and parameters into a command with
> embedded constants.
> 
> I opened a bug against it years ago.  I looked at fixing it, but that
> lead me into coercing python values into whatever the mysql client lib
> does, and that is not something I should be doing.


Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:

http://dev.mysql.com/doc/connector-python/en/

I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.

Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.



From carl at personnelware.com  Fri Jul 19 05:03:54 2013
From: carl at personnelware.com (Carl Karsten)
Date: Thu, 18 Jul 2013 22:03:54 -0500
Subject: [DB-SIG] mysql module embeds params in command string
In-Reply-To: <E0396791-A980-4507-A5AC-8C13F2F91BC2@zzzcomputing.com>
References: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
	<E0396791-A980-4507-A5AC-8C13F2F91BC2@zzzcomputing.com>
Message-ID: <CADmzSShYS-K_p-1iw1kbKPzFQV5P5vYMZaywShJg8At0ae4jbQ@mail.gmail.com>

Huh, I didn't know there were any other options.  I wonder why this says this:

MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
required for full MySQL support in Django.

https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb



On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>
> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>
>> I feel I need to post this now and then in hopes I find someone who
>> can do something about it.  This might even be worth some PSF funding?
>>
>> I am not a security expert, I am not qualified to asses the risk, it
>> doesn't matter if I consider this a vulnerability.  That said, I know
>> it is a problem that should be fixed.
>>
>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>> self._query(query)
>>
>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>
>> Yes: the mysql python module that everyone uses does string
>> substitution to combine the command and parameters into a command with
>> embedded constants.
>>
>> I opened a bug against it years ago.  I looked at fixing it, but that
>> lead me into coercing python values into whatever the mysql client lib
>> does, and that is not something I should be doing.
>
>
> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>
> http://dev.mysql.com/doc/connector-python/en/
>
> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>
> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>
>



-- 
Carl K

From mike_mp at zzzcomputing.com  Fri Jul 19 05:54:26 2013
From: mike_mp at zzzcomputing.com (Michael Bayer)
Date: Thu, 18 Jul 2013 23:54:26 -0400
Subject: [DB-SIG] mysql module embeds params in command string
In-Reply-To: <CADmzSShYS-K_p-1iw1kbKPzFQV5P5vYMZaywShJg8At0ae4jbQ@mail.gmail.com>
References: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
	<E0396791-A980-4507-A5AC-8C13F2F91BC2@zzzcomputing.com>
	<CADmzSShYS-K_p-1iw1kbKPzFQV5P5vYMZaywShJg8At0ae4jbQ@mail.gmail.com>
Message-ID: <4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com>

If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py"  module with a big "import MySQLdb" hardcoded into it.   We've supported many DBAPIs per database for so long I've forgotten about that old issue.

Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch.

On Jul 18, 2013, at 11:03 PM, Carl Karsten <carl at personnelware.com> wrote:

> Huh, I didn't know there were any other options.  I wonder why this says this:
> 
> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
> required for full MySQL support in Django.
> 
> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb
> 
> 
> 
> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>> 
>> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>> 
>>> I feel I need to post this now and then in hopes I find someone who
>>> can do something about it.  This might even be worth some PSF funding?
>>> 
>>> I am not a security expert, I am not qualified to asses the risk, it
>>> doesn't matter if I consider this a vulnerability.  That said, I know
>>> it is a problem that should be fixed.
>>> 
>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>>> self._query(query)
>>> 
>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>> 
>>> Yes: the mysql python module that everyone uses does string
>>> substitution to combine the command and parameters into a command with
>>> embedded constants.
>>> 
>>> I opened a bug against it years ago.  I looked at fixing it, but that
>>> lead me into coercing python values into whatever the mysql client lib
>>> does, and that is not something I should be doing.
>> 
>> 
>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>> 
>> http://dev.mysql.com/doc/connector-python/en/
>> 
>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>> 
>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>> 
>> 
> 
> 
> 
> -- 
> Carl K


From carl at personnelware.com  Fri Jul 19 06:06:50 2013
From: carl at personnelware.com (Carl Karsten)
Date: Thu, 18 Jul 2013 23:06:50 -0500
Subject: [DB-SIG] mysql module embeds params in command string
In-Reply-To: <4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com>
References: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
	<E0396791-A980-4507-A5AC-8C13F2F91BC2@zzzcomputing.com>
	<CADmzSShYS-K_p-1iw1kbKPzFQV5P5vYMZaywShJg8At0ae4jbQ@mail.gmail.com>
	<4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com>
Message-ID: <CADmzSShWX--n9B8pBhS_p7-ApzK6H=WetYOfmsYFZ4PJ_-CTGA@mail.gmail.com>

That 1/2 answers my question - and it sounds correct for what you are saying.

But I am wondering why they picked that one.    Yeah Yeah "Ask them"
is the obvious answer :)

I am also wondering why so many exist.  I would think after a year or
2 they would all merge together.  I have trouble trying to dream up 2
mutually exclusive features.

On Thu, Jul 18, 2013 at 10:54 PM, Michael Bayer
<mike_mp at zzzcomputing.com> wrote:
> If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py"  module with a big "import MySQLdb" hardcoded into it.   We've supported many DBAPIs per database for so long I've forgotten about that old issue.
>
> Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch.
>
> On Jul 18, 2013, at 11:03 PM, Carl Karsten <carl at personnelware.com> wrote:
>
>> Huh, I didn't know there were any other options.  I wonder why this says this:
>>
>> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
>> required for full MySQL support in Django.
>>
>> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb
>>
>>
>>
>> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>>>
>>> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>>>
>>>> I feel I need to post this now and then in hopes I find someone who
>>>> can do something about it.  This might even be worth some PSF funding?
>>>>
>>>> I am not a security expert, I am not qualified to asses the risk, it
>>>> doesn't matter if I consider this a vulnerability.  That said, I know
>>>> it is a problem that should be fixed.
>>>>
>>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>>>> self._query(query)
>>>>
>>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>>>
>>>> Yes: the mysql python module that everyone uses does string
>>>> substitution to combine the command and parameters into a command with
>>>> embedded constants.
>>>>
>>>> I opened a bug against it years ago.  I looked at fixing it, but that
>>>> lead me into coercing python values into whatever the mysql client lib
>>>> does, and that is not something I should be doing.
>>>
>>>
>>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>>>
>>> http://dev.mysql.com/doc/connector-python/en/
>>>
>>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>>>
>>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>>>
>>>
>>
>>
>>
>> --
>> Carl K
>



-- 
Carl K

From mike_mp at zzzcomputing.com  Fri Jul 19 16:53:54 2013
From: mike_mp at zzzcomputing.com (Michael Bayer)
Date: Fri, 19 Jul 2013 10:53:54 -0400
Subject: [DB-SIG] mysql module embeds params in command string
In-Reply-To: <CADmzSShWX--n9B8pBhS_p7-ApzK6H=WetYOfmsYFZ4PJ_-CTGA@mail.gmail.com>
References: <CADmzSSiPEuryzEhCysqgGzn4mnE=xsMuAa5Fpsqs7QPCdGAL3A@mail.gmail.com>
	<E0396791-A980-4507-A5AC-8C13F2F91BC2@zzzcomputing.com>
	<CADmzSShYS-K_p-1iw1kbKPzFQV5P5vYMZaywShJg8At0ae4jbQ@mail.gmail.com>
	<4CA745E7-7893-4B87-AAF0-D5B73E5692A2@zzzcomputing.com>
	<CADmzSShWX--n9B8pBhS_p7-ApzK6H=WetYOfmsYFZ4PJ_-CTGA@mail.gmail.com>
Message-ID: <B0F722EE-5C22-44C4-AAF8-32A08B2C992E@zzzcomputing.com>


On Jul 19, 2013, at 12:06 AM, Carl Karsten <carl at personnelware.com> wrote:

> That 1/2 answers my question - and it sounds correct for what you are saying.
> 
> But I am wondering why they picked that one.    Yeah Yeah "Ask them"
> is the obvious answer :)

oh, well MySQLdb has been around way longer than all the others.   Four (maybe even two or three) years ago all those other drivers didn't exist yet.


> 
> I am also wondering why so many exist.  I would think after a year or
> 2 they would all merge together.
>  I have trouble trying to dream up 2
> mutually exclusive features.

my impression is that none of them are really targeting features, they are all targeting implementations.  OurSQL uses a different set of MySQL APis internally (I don't know the details) which supposedly grants significant performance increases.   PyMySQL targets the "written in pure Python crowd", i.e. no C code, I guess for Pypy, easier builds on windows.   MySQL-connector-Python I'm not as sure about, it seems to be related to the MySQL project itself and maybe is some kind of attempt to write the code differently, not sure, and cymysql I only know about because the guy's been emailing me dialect updates, it uses Cython, so I imagine the idea there is that it's written in C but is easier to develop and maintain vs. a "raw C" implementation.





> 
> On Thu, Jul 18, 2013 at 10:54 PM, Michael Bayer
> <mike_mp at zzzcomputing.com> wrote:
>> If I had to guess why Django has a statement like that up, they may not have worked out their driver architecture such that they can easily swap out various DBAPI implementations on top of the same database backend; i.e. they probably have a "mysql.py"  module with a big "import MySQLdb" hardcoded into it.   We've supported many DBAPIs per database for so long I've forgotten about that old issue.
>> 
>> Those other drivers generally target MySQLdb for compatibility, so I'm sure you can get them to work at least 90% with django without much more hassle than a monkeypatch.
>> 
>> On Jul 18, 2013, at 11:03 PM, Carl Karsten <carl at personnelware.com> wrote:
>> 
>>> Huh, I didn't know there were any other options.  I wonder why this says this:
>>> 
>>> MySQLdb is the Python interface to MySQL. Version 1.2.1p2 or later is
>>> required for full MySQL support in Django.
>>> 
>>> https://docs.djangoproject.com/en/1.5/ref/databases/#mysqldb
>>> 
>>> 
>>> 
>>> On Thu, Jul 18, 2013 at 9:08 AM, Michael Bayer <mike_mp at zzzcomputing.com> wrote:
>>>> 
>>>> On Jul 18, 2013, at 9:38 AM, Carl Karsten <carl at personnelware.com> wrote:
>>>> 
>>>>> I feel I need to post this now and then in hopes I find someone who
>>>>> can do something about it.  This might even be worth some PSF funding?
>>>>> 
>>>>> I am not a security expert, I am not qualified to asses the risk, it
>>>>> doesn't matter if I consider this a vulnerability.  That said, I know
>>>>> it is a problem that should be fixed.
>>>>> 
>>>>> query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
>>>>> self._query(query)
>>>>> 
>>>>> http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
>>>>> 
>>>>> Yes: the mysql python module that everyone uses does string
>>>>> substitution to combine the command and parameters into a command with
>>>>> embedded constants.
>>>>> 
>>>>> I opened a bug against it years ago.  I looked at fixing it, but that
>>>>> lead me into coercing python values into whatever the mysql client lib
>>>>> does, and that is not something I should be doing.
>>>> 
>>>> 
>>>> Not like this shouldn't be fixed, but also in theory, people would be moving to MySQL Connector/Python, seeing as it's the Python driver that's actually advertised on the MySQL site and also runs in Python 3:
>>>> 
>>>> http://dev.mysql.com/doc/connector-python/en/
>>>> 
>>>> I haven't looked at its source, and it did take a long time for this driver to be usable, but recent versions seem to work well.    It's worth seeing what approach it takes to bound parameters internally.
>>>> 
>>>> Not to mention there's lots of other MySQL drivers: OurSQL, cymysql, pymysql.    I've tested all of these and they all work pretty well.
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> Carl K
>> 
> 
> 
> 
> -- 
> Carl K