问题
I'm very new to erlang and I need to code something which inserts rows in a MySQL Database. How can I prevent SQL Injections with Erlang? Is there also something like prepared statements in other Languages or how should I do it?
Thanks for your replies.
回答1:
This answer depends on the driver you are using.
Erlang ODBC has a function param_query that binds a set of parameters to the query and it might also escape all the SQL special characters.
erlang-mysql-driver has prepared statements:
%% Register a prepared statement
mysql:prepare(update_developer_country,
<<"UPDATE developer SET country=? where name like ?">>),
%% Execute the prepared statement
mysql:execute(p1, update_developer_country, [<<"Sweden">>,<<"%Wiger">>]),
(code from Yariv's blog)
As a last resort you can always escape the characters
NUL (0x00) --> \0
BS (0x08) --> \b
TAB (0x09) --> \t
LF (0x0a) --> \n
CR (0x0d) --> \r
SUB (0x1a) --> \z
" (0x22) --> \"
% (0x25) --> \%
' (0x27) --> \'
\ (0x5c) --> \\
_ (0x5f) --> \_
来源:https://stackoverflow.com/questions/7188346/erlang-mysql-how-to-prevent-sql-injections