必须转义哪些字符以防止 (My)SQL 注入? [英] What characters have to be escaped to prevent (My)SQL injections?

问题描述

我正在使用 MySQL API 的功能

I'm using MySQL API's function

mysql_real_escape_string()

根据文档，它转义了以下字符:

Based on the documentation, it escapes the following characters:

\0
\n
\r
\
'
"
\Z

现在，我查看了 OWASP.org 的 ESAPI 安全库，在 Python 端口中它有以下代码(http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):

Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):

        """
        Encodes a character for MySQL.
        """
        lookup = {
        0x00 : "\\0",
        0x08 : "\\b",
        0x09 : "\\t",
        0x0a : "\\n",
        0x0d : "\\r",
        0x1a : "\\Z",
        0x22 : '\\"',
        0x25 : "\\%",
        0x27 : "\\'",
        0x5c : "\\\\",
        0x5f : "\\_",
        }

现在，我想知道是否真的需要转义所有这些字符.我理解为什么 % 和 _ 在那里，它们是 LIKE 运算符中的元字符，但我不能简单地理解它们为什么要添加退格符和制表符 (\b \t)?如果您进行查询，是否存在安全问题:

Now, I'm wondering whether all those characters are really needed to be escaped. I understand why % and _ are there, they are meta characters in LIKE operator, but I can't simply understand why did they add backspace and tabulator characters (\b \t)? Is there a security issue if you do a query:

SELECT a FROM b WHERE c = '...user input ...';

用户输入包含制表符或退格字符的地方?

Where user input contains tabulators or backspace characters?

我的问题在这里:为什么他们在 ESAPI 安全库中包含 \b \t?在任何情况下，您可能需要转义这些字符吗?

My question is here: Why did they include \b \t in the ESAPI security library? Are there any situations where you might need to escape those characters?

推荐答案

MySQL字符串的手册页说:

• \0 一个 ASCII NUL (0x00) 字符.
• \' 一个单引号 ('") 字符.
• \" 一个双引号 ("") 字符.
• \b 一个退格字符.
• \n 一个换行(换行)字符.
• \r 一个回车符.
• \t 一个制表符.
• \Z ASCII 26 (Control-Z).请参阅表格后面的注释.
• \\ 一个反斜杠(\")字符.
• \% 一个%"字符.请参阅表格后面的注释.
• \_ 一个_"字符.请参阅表格后面的注释.

• \0   An ASCII NUL (0x00) character.
• \'   A single quote ("'") character.
• \"   A double quote (""") character.
• \b   A backspace character.
• \n   A newline (linefeed) character.
• \r   A carriage return character.
• \t   A tab character.
• \Z   ASCII 26 (Control-Z). See note following the table.
• \\   A backslash ("\") character.
• \%   A "%" character. See note following the table.
• \_   A "_" character. See note following the table.

这篇关于必须转义哪些字符以防止 (My)SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！