发表新帖
发表新帖

What characters have to be escaped to prevent (My)SQL injections?

前端 未结
关注
6 816
温柔的废话
温柔的废话 2020-11-29 05:47

I\'m using MySQL API\'s function

mysql_real_escape_string()

Based on the documentation, it escapes the following characters:
相关标签:
6条回答
  • 暖寄归人
    2020-11-29 05:53

    Blacklisting (identifying bad characters) is never the way to go, if you have any other options.

    You need to use a conbination of whitelisting, and more importantly, bound-parameter approaches.

    Whilst this particular answer has a PHP focus, it still helps plenty and will help explain that just running a string through a char filter doesn't work in many cases. Please, please see Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

    0 讨论(0)
  • 萌比男神i
    2020-11-29 05:53

    Java solution:

    public static String filter( String s ) {
    StringBuffer buffer = new StringBuffer();
    int i;

    for( byte b : s.getBytes() ) {
        i = (int) b;

        switch( i ) {
            case  9 : buffer.append( "    " ); break;
            case 10 : buffer.append( "\\n"  ); break;
            case 13 : buffer.append( "\\r"  ); break;
            case 34 : buffer.append( "\\\"" ); break;
            case 39 : buffer.append( "\\'"  ); break;
            case 92 : buffer.append( "\\"   );

            if( i > 31 && i < 127 ) buffer.append( new String( new byte[] { b } ) );
        }
    }

    return buffer.toString();
}
    0 讨论(0)
  • 失恋的感觉
    2020-11-29 06:08

    The MySQL manual page for strings says:

    • \0   An ASCII NUL (0x00) character.
    • \'   A single quote (“'”) character.
    • \"   A double quote (“"”) character.
    • \b   A backspace character.
    • \n   A newline (linefeed) character.
    • \r   A carriage return character.
    • \t   A tab character.
    • \Z   ASCII 26 (Control-Z). See note following the table.
    • \\   A backslash (“\”) character.
    • \%   A “%” character. See note following the table.
    • \_   A “_” character. See note following the table.
    0 讨论(0)
  • 心在旅途
    2020-11-29 06:09

    A guess concerning the backspace character: Imagine I send you an email "Hi, here's the query to update your DB as you wanted" and an attached textfile with

    INSERT INTO students VALUES ("Bobby Tables",12,"abc",3.6);

    You cat the file, see it's okay, and just pipe the file to MySQL. What you didn't know, however, was that I put

    DROP TABLE students;\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b

    before the INSERT STATEMENT which you didn't see because on console output the backspaces overwrote it. Bamm!

    Just a guess, though.

    Edit (couldn't resist):

    alt text

    0 讨论(0)
  • 再見小時候
    2020-11-29 06:10

    couldn't one just delete the single quote(s) from user input?

    eg: $input =~ s/\'|\"//g;

    0 讨论(0)
  • 长情又很酷
    2020-11-29 06:11

    Where user input contains tabulators or backspace characters?

    It's quite remarkable a fact that up to this day most users do believe that it's user input have to be escaped, and such escaping "prevents injections".

    0 讨论(0)
 看不清?
提交回复
热议问题