Security is not as much of an issue, but it can lead to issues with some commands, for example if the file is named ' a.csv.
Trying to escape these edge cases in Python will lead to an imperfect re-implementation of the escaping logic like the original connector.
Ideally, the run_statement method should accept a list of substitution parameters like the Python connector
Listening for the MariaDB [] prompt causes some queries to never finish or truncate the output.
The Python connector will be more reliable as it is both officially supported and throughly tested.
Whatever the fix for this ends up being it will likely also fix #20. I'm going to mark it as an enhancement even though it is borderline between bug and enhancement.
https://github.com/MariaDB/mariadb_kernel/blob/0dddfe5cd8c3c9ad80687fed05401cc5313e6d86/mariadb_kernel/mariadb_client.py#L21-L27 The current implementation of using the mariadb client cli has some limitations.
https://github.com/MariaDB/mariadb_kernel/blob/0dddfe5cd8c3c9ad80687fed05401cc5313e6d86/mariadb_kernel/mariadb_client.py#L100
The
run_statement
doesn't support parameter substitution, which can lead to unintentional SQL injections while adding more magics:https://github.com/MariaDB/mariadb_kernel/blob/362e378c15d985779c83404796a2f4aa14578535/mariadb_kernel/maria_magics/load.py#L46 https://github.com/MariaDB/mariadb_kernel/blob/362e378c15d985779c83404796a2f4aa14578535/mariadb_kernel/maria_magics/load.py#L57
Security is not as much of an issue, but it can lead to issues with some commands, for example if the file is named
' a.csv
. Trying to escape these edge cases in Python will lead to an imperfect re-implementation of the escaping logic like the original connector.Ideally, the
run_statement
method should accept a list of substitution parameters like the Python connectorhttps://github.com/MariaDB/mariadb_kernel/blob/0dddfe5cd8c3c9ad80687fed05401cc5313e6d86/mariadb_kernel/mariadb_client.py#L50
Listening for the
MariaDB []
prompt causes some queries to never finish or truncate the output. The Python connector will be more reliable as it is both officially supported and throughly tested.