什么角色必须被转义以防止(我的)SQL注入? [英] What characters have to be escaped to prevent (My)SQL injections?
问题描述
我正在使用MySQL API的功能
mysql_real_escape_string()
pre>
根据文档,它转义了以下字符:
\0
\ $
\r
\
'
\Z
现在,我研究了OWASP.org的ESAPI安全库,在Python端口中,它具有以下代码( http://code.google.com/p/owasp-esapi-python /source/browse/esapi/codecs/mysql.py ):
编码MySQL的一个字符
lookup = {
0x00:\\0,
0x08:\\b,
0x09:\\ \\\t,
0x0a:\\\\
,
0x0d:\\r,
0x1a:\\Z,
0x22:'\\'',
0x25:\\%,
0x27:\\,
0x5c:\\\ \\\\,
0x5f:\\_,
}
现在,我想知道所有这些角色是否真的需要被转义。我明白为什么%和_在那里,它们是LIKE运算符中的元字符,但是我不能简单的理解为什么它们添加了backspace和tabulator字符(\b \t)?如果您进行查询,是否存在安全问题:
SELECT a FROM b WHERE c ='... user input ';
用户输入中包含制表符或退格字符?
我的问题在这里:为什么在ESAPI安全库中包含\b \t?
解决方案
-
\0
ASCII NUL(0x00)字符。 -
\'
单引号()字符。
-
\
双引号()字符。
-
\b
退格字符。 -
\\\
换行符(换行符) / li>
-
\r
回车符。 -
\ t
一个标签字符。 -
\Z
ASCII 26(Control-Z)。见下表中的注释。 -
\\
反斜杠(\
)字符。 -
\%
A%
性格。见下表中的注释。 -
\ _
A_
字符。见表中的注释。
I'm using MySQL API's function
mysql_real_escape_string()
Based on the documentation, it escapes the following characters:
\0
\n
\r
\
'
"
\Z
Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):
"""
Encodes a character for MySQL.
"""
lookup = {
0x00 : "\\0",
0x08 : "\\b",
0x09 : "\\t",
0x0a : "\\n",
0x0d : "\\r",
0x1a : "\\Z",
0x22 : '\\"',
0x25 : "\\%",
0x27 : "\\'",
0x5c : "\\\\",
0x5f : "\\_",
}
Now, I'm wondering whether all those characters are really needed to be escaped. I understand why % and _ are there, they are meta characters in LIKE operator, but I can't simply understand why did they add backspace and tabulator characters (\b \t)? Is there a security issue if you do a query:
SELECT a FROM b WHERE c = '...user input ...';
Where user input contains tabulators or backspace characters?
My question is here: Why did they include \b \t in the ESAPI security library? Are there any situations where you might need to escape those characters?
The MySQL manual page for strings says:
\0
An ASCII NUL (0x00) character.\'
A single quote ("'
") character.\"
A double quote (""
") character.\b
A backspace character.\n
A newline (linefeed) character.\r
A carriage return character.\t
A tab character.\Z
ASCII 26 (Control-Z). See note following the table.\\
A backslash ("\
") character.\%
A "%
" character. See note following the table.\_
A "_
" character. See note following the table.
这篇关于什么角色必须被转义以防止(我的)SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!