Erlang Mysql:如何防止SQL注入 [英] Erlang Mysql: How to prevent SQL Injections
问题描述
我非常新的erlang,我需要编写一些在MySQL数据库中插入行的东西。
如何使用Erlang防止SQL注入?还有其他语言中的准备语句还有怎么做?
感谢您的回复。
此答案取决于您使用的驱动程序。
Erlang ODBC具有一个函数param_query,将一组参数绑定到查询中,并且还可以转义所有SQL特殊字符。
erlang-mysql-driver 有准备语句:
%%注册一个准备的语句
mysql:prepare(update_developer_country,
<<< ;UPDATE开发者SET country =?其中名称像?>>),
%%执行准备的语句
mysql:execute(p1,update_developer_country,[< 瑞典><%Wiger>>>>>>>>]) p>( Yariv的博客的代码)
作为最后的手段,您可以随时转义字符
NUL(0x00) - > \0
BS(0x08) - > \b
TAB(0x09) - > \t
LF(0x0a) - > \\\
CR(0x0d) - > \r
SUB(0x1a) - > \z
(0x22) - > \
%(0x25) - > \%
'(0x27) - > \'
\(0x5c) - > \\
_(0x5f) - > \_
I'm very new to erlang and I need to code something which inserts rows in a MySQL Database.
How can I prevent SQL Injections with Erlang? Is there also something like prepared statements in other Languages or how should I do it?
Thanks for your replies.
解决方案 This answer depends on the driver you are using.
Erlang ODBC has a function param_query that binds a set of parameters to the query and it might also escape all the SQL special characters.
erlang-mysql-driver has prepared statements:
%% Register a prepared statement
mysql:prepare(update_developer_country,
<<"UPDATE developer SET country=? where name like ?">>),
%% Execute the prepared statement
mysql:execute(p1, update_developer_country, [<<"Sweden">>,<<"%Wiger">>]),
(code from Yariv's blog)
As a last resort you can always escape the characters
NUL (0x00) --> \0
BS (0x08) --> \b
TAB (0x09) --> \t
LF (0x0a) --> \n
CR (0x0d) --> \r
SUB (0x1a) --> \z
" (0x22) --> \"
% (0x25) --> \%
' (0x27) --> \'
\ (0x5c) --> \\
_ (0x5f) --> \_
这篇关于Erlang Mysql:如何防止SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!