<tfoot id='RhjK2'></tfoot>

  • <legend id='RhjK2'><style id='RhjK2'><dir id='RhjK2'><q id='RhjK2'></q></dir></style></legend>
      <bdo id='RhjK2'></bdo><ul id='RhjK2'></ul>

        <small id='RhjK2'></small><noframes id='RhjK2'>

      1. <i id='RhjK2'><tr id='RhjK2'><dt id='RhjK2'><q id='RhjK2'><span id='RhjK2'><b id='RhjK2'><form id='RhjK2'><ins id='RhjK2'></ins><ul id='RhjK2'></ul><sub id='RhjK2'></sub></form><legend id='RhjK2'></legend><bdo id='RhjK2'><pre id='RhjK2'><center id='RhjK2'></center></pre></bdo></b><th id='RhjK2'></th></span></q></dt></tr></i><div id='RhjK2'><tfoot id='RhjK2'></tfoot><dl id='RhjK2'><fieldset id='RhjK2'></fieldset></dl></div>

        必须转义哪些字符以防止 (My)SQL 注入?

        时间:2023-05-31
          <bdo id='1LCqO'></bdo><ul id='1LCqO'></ul>
              <legend id='1LCqO'><style id='1LCqO'><dir id='1LCqO'><q id='1LCqO'></q></dir></style></legend>
                <tbody id='1LCqO'></tbody>

              <tfoot id='1LCqO'></tfoot>

              <small id='1LCqO'></small><noframes id='1LCqO'>

              <i id='1LCqO'><tr id='1LCqO'><dt id='1LCqO'><q id='1LCqO'><span id='1LCqO'><b id='1LCqO'><form id='1LCqO'><ins id='1LCqO'></ins><ul id='1LCqO'></ul><sub id='1LCqO'></sub></form><legend id='1LCqO'></legend><bdo id='1LCqO'><pre id='1LCqO'><center id='1LCqO'></center></pre></bdo></b><th id='1LCqO'></th></span></q></dt></tr></i><div id='1LCqO'><tfoot id='1LCqO'></tfoot><dl id='1LCqO'><fieldset id='1LCqO'></fieldset></dl></div>

                • 本文介绍了必须转义哪些字符以防止 (My)SQL 注入?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                  问题描述

                  我正在使用 MySQL API 的功能

                  I'm using MySQL API's function

                  mysql_real_escape_string()
                  

                  根据文档,它转义了以下字符:

                  Based on the documentation, it escapes the following characters:

                  \0
                  \n
                  \r
                  \
                  '
                  "
                  \Z
                  

                  现在,我查看了 OWASP.org 的 ESAPI 安全库,在 Python 端口中它有以下代码(http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):

                  Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):

                          """
                          Encodes a character for MySQL.
                          """
                          lookup = {
                          0x00 : "\\0",
                          0x08 : "\\b",
                          0x09 : "\\t",
                          0x0a : "\\n",
                          0x0d : "\\r",
                          0x1a : "\\Z",
                          0x22 : '\\"',
                          0x25 : "\\%",
                          0x27 : "\\'",
                          0x5c : "\\\\",
                          0x5f : "\\_",
                          }
                  

                  现在,我想知道是否真的需要转义所有这些字符.我理解为什么 % 和 _ 在那里,它们是 LIKE 运算符中的元字符,但我不能简单地理解它们为什么要添加退格符和制表符 (\b \t)?如果您进行查询,是否存在安全问题:

                  Now, I'm wondering whether all those characters are really needed to be escaped. I understand why % and _ are there, they are meta characters in LIKE operator, but I can't simply understand why did they add backspace and tabulator characters (\b \t)? Is there a security issue if you do a query:

                  SELECT a FROM b WHERE c = '...user input ...';
                  

                  用户输入包含制表符或退格字符的地方?

                  Where user input contains tabulators or backspace characters?

                  我的问题在这里:为什么他们在 ESAPI 安全库中包含 \b \t?在任何情况下,您可能需要转义这些字符吗?

                  My question is here: Why did they include \b \t in the ESAPI security library? Are there any situations where you might need to escape those characters?

                  推荐答案

                  MySQL字符串的手册页说:

                  • \0 一个 ASCII NUL (0x00) 字符.
                  • \' 一个单引号 ('") 字符.
                  • \" 一个双引号 ("") 字符.
                  • \b 一个退格字符.
                  • \n 一个换行(换行)字符.
                  • \r 一个回车符.
                  • \t 一个制表符.
                  • \Z ASCII 26 (Control-Z).请参阅表格后面的注释.
                  • \\ 一个反斜杠(\")字符.
                  • \% 一个%"字符.请参阅表格后面的注释.
                  • \_ 一个_"字符.请参阅表格后面的注释.
                  • \0An ASCII NUL (0x00) character.
                  • \'A single quote ("'") character.
                  • \"A double quote (""") character.
                  • \bA backspace character.
                  • \nA newline (linefeed) character.
                  • \rA carriage return character.
                  • \tA tab character.
                  • \ZASCII 26 (Control-Z). See note following the table.
                  • \\A backslash ("\") character.
                  • \%A "%" character. See note following the table.
                  • \_A "_" character. See note following the table.

                  这篇关于必须转义哪些字符以防止 (My)SQL 注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                  上一篇:有没有办法像oracle中的rownum一样获取Mysql中的行号 下一篇:将 utf-8 编码的文本加载到 MySQL 表中

                  相关文章

                    • <bdo id='1ZVF1'></bdo><ul id='1ZVF1'></ul>
                    <i id='1ZVF1'><tr id='1ZVF1'><dt id='1ZVF1'><q id='1ZVF1'><span id='1ZVF1'><b id='1ZVF1'><form id='1ZVF1'><ins id='1ZVF1'></ins><ul id='1ZVF1'></ul><sub id='1ZVF1'></sub></form><legend id='1ZVF1'></legend><bdo id='1ZVF1'><pre id='1ZVF1'><center id='1ZVF1'></center></pre></bdo></b><th id='1ZVF1'></th></span></q></dt></tr></i><div id='1ZVF1'><tfoot id='1ZVF1'></tfoot><dl id='1ZVF1'><fieldset id='1ZVF1'></fieldset></dl></div>

                    1. <legend id='1ZVF1'><style id='1ZVF1'><dir id='1ZVF1'><q id='1ZVF1'></q></dir></style></legend><tfoot id='1ZVF1'></tfoot>
                    2. <small id='1ZVF1'></small><noframes id='1ZVF1'>