必须转义哪些字符以防止 (My)SQL 注入? [英] What characters have to be escaped to prevent (My)SQL injections?
问题描述
我正在使用 MySQL API 的功能
I'm using MySQL API's function
mysql_real_escape_string()
根据文档,它转义了以下字符:
Based on the documentation, it escapes the following characters:
\0
\n
\r
\
'
"
\Z
现在,我查看了 OWASP.org 的 ESAPI 安全库,在 Python 端口中它有以下代码(http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):
Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):
"""
Encodes a character for MySQL.
"""
lookup = {
0x00 : "\\0",
0x08 : "\\b",
0x09 : "\\t",
0x0a : "\\n",
0x0d : "\\r",
0x1a : "\\Z",
0x22 : '\\"',
0x25 : "\\%",
0x27 : "\\'",
0x5c : "\\\\",
0x5f : "\\_",
}
现在,我想知道是否真的需要转义所有这些字符.我理解为什么 % 和 _ 在那里,它们是 LIKE 运算符中的元字符,但我不能简单地理解它们为什么要添加退格符和制表符 (\b \t)?如果您进行查询,是否存在安全问题:
Now, I'm wondering whether all those characters are really needed to be escaped. I understand why % and _ are there, they are meta characters in LIKE operator, but I can't simply understand why did they add backspace and tabulator characters (\b \t)? Is there a security issue if you do a query:
SELECT a FROM b WHERE c = '...user input ...';
用户输入包含制表符或退格字符的地方?
Where user input contains tabulators or backspace characters?
我的问题在这里:为什么他们在 ESAPI 安全库中包含 \b \t?在任何情况下,您可能需要转义这些字符吗?
My question is here: Why did they include \b \t in the ESAPI security library? Are there any situations where you might need to escape those characters?
推荐答案
\0
一个 ASCII NUL (0x00) 字符.\'
一个单引号 ('
") 字符.\"
一个双引号 ("
") 字符.\b
一个退格字符.\n
一个换行(换行)字符.\r
一个回车符.\t
一个制表符.\Z
ASCII 26 (Control-Z).请参阅表格后面的注释.\\
一个反斜杠(\
")字符.\%
一个%
"字符.请参阅表格后面的注释.\_
一个_
"字符.请参阅表格后面的注释.
\0
An ASCII NUL (0x00) character.\'
A single quote ("'
") character.\"
A double quote (""
") character.\b
A backspace character.\n
A newline (linefeed) character.\r
A carriage return character.\t
A tab character.\Z
ASCII 26 (Control-Z). See note following the table.\\
A backslash ("\
") character.\%
A "%
" character. See note following the table.\_
A "_
" character. See note following the table.
这篇关于必须转义哪些字符以防止 (My)SQL 注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!