清理MySQL用户参数 [英] Sanitizing MySQL user parameters

问题描述

在将用户输入插入MySQL查询中时，应在用户输入中替换哪些危险字符?我知道引号，双引号，\ r和\ n.还有其他吗?
_{(我无法选择使用接受参数的智能连接器，因此我必须自己构建查询，这将以多种编程语言实现，包括一些晦涩的语言，因此解决方案例如PHP中的mysql_real_escape_string无效)}

What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others?
_{(I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in multiple programming languages, including some obscure ones so solutions such as mysql_real_escape_string in PHP are not valid)}

推荐答案

来自mysql.com文档的mysql_real_escape_string():

考虑到连接的当前字符集，from中的字符串被编码为转义的SQL字符串.结果放入并附加一个终止的空字节.编码的字符为NUL(ASCII 0)，"\ n"，"\ r"，"\"，'"，"和Control-Z(请参见第8.1节文字值"). MySQL仅要求转义反斜杠和用于在查询中用于对字符串加引号的引号.此函数对其他字符加引号，以使它们更易于在日志文件中读取.)

---

mysql_real_escape_string()可以识别字符集，因此复制其所有功能(尤其是针对多字节攻击问题)并不是一件小事.

---

mysql_real_escape_string() is character set aware, so replicating all its abilities (especially against multi-byte attack issues) is not a small amount of work.

来自 http://cognifty.com/blog.entry/id= 6/addslashes_dont_call_it_a_comeback.html :

AS = addslashes()  
MRES = mysql_real_escape_string()
ACS = addcslashes() //called with "\\\000\n\r'\"\032%_"

Feature                                         AS     MRES    ACS
escapes quote, double quote, and backslash      yes    yes     yes
escapes LIKE modifiers: underscore, percent     no     no      yes
escapes with single quotes instead of backslash no     yes*1   no
character-set aware                             no     yes*2   no
prevents multi-byte attacks                     no     yes*3   no

这篇关于清理MySQL用户参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！