mysql-server-mcp

The server's source code is clear and does not contain 'eval' or obfuscation. It communicates over stdio, not exposing direct network ports. However, it relies on environment variables for MySQL credentials (MYSQL_HOST, MYSQL_PORT, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE), with generic placeholder defaults ('username', 'password', 'database_name'). While the README explicitly warns against committing credentials and advises using environment variables, relying on these generic defaults without explicit configuration poses a risk if deployed carelessly. The server executes arbitrary SQL queries provided by the client, making it susceptible to SQL injection if the calling client/AI assistant does not properly sanitize its inputs before generating the SQL query. The code includes basic statement classification to route queries to appropriate handlers, preventing some accidental misuse (e.g., calling a SELECT with 'execute_sql'), but it does not perform advanced SQL injection prevention or input sanitization itself. The README advises implementing additional query validation and sanitization for production use, acknowledging this inherent risk.