必须转义哪些字符以防止 (My)SQL 注入?
我正在使用 MySQL API 的功能
I'm using MySQL API's function
mysql_real_escape_string()
根据文档,它转义了以下字符:
Based on the documentation, it escapes the following characters:
\0
\n
\r
\
'
"
\Z
现在,我查看了 OWASP.org 的 ESAPI 安全库,在 Python 端口中它有以下代码(http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):
Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):
"""
Encodes a character for MySQL.
"""
lookup = {
0x00 : "\\0",
0x08 : "\\b",
0x09 : "\\t",
0x0a : "\\n",
0x0d : "\\r",
0x1a : "\\Z",
0x22 : '\\"',
0x25 : "\\%",
0x27 : "\\'",
0x5c : "\\\\",
0x5f : "\\_",
}
现在,我想知道是否真的需要转义所有这些字符.我理解为什么 % 和 _ 在那里,它们是 LIKE 运算符中的元字符,但我不能简单地理解它们为什么要添加退格符和制表符 (\b \t)?如果您进行查询,是否存在安全问题:
Now, I'm wondering whether all those characters are really needed to be escaped. I understand why % and _ are there, they are meta characters in LIKE operator, but I can't simply understand why did they add backspace and tabulator characters (\b \t)? Is there a security issue if you do a query:
SELECT a FROM b WHERE c = '...user input ...';
用户输入包含制表符或退格字符的地方?
Where user input contains tabulators or backspace characters?
我的问题在这里:为什么他们在 ESAPI 安全库中包含 \b \t?在任何情况下,您可能需要转义这些字符吗?
My question is here: Why did they include \b \t in the ESAPI security library? Are there any situations where you might need to escape those characters?
推荐答案
MySQL字符串的手册页说:
\0
一个 ASCII NUL (0x00) 字符.\'
一个单引号 ('
") 字符.\"
一个双引号 ("
") 字符.\b
一个退格字符.\n
一个换行(换行)字符.\r
一个回车符.\t
一个制表符.\Z
ASCII 26 (Control-Z).请参阅表格后面的注释.\\
一个反斜杠(\
")字符.\%
一个%
"字符.请参阅表格后面的注释.\_
一个_
"字符.请参阅表格后面的注释.
\0
An ASCII NUL (0x00) character.\'
A single quote ("'
") character.\"
A double quote (""
") character.\b
A backspace character.\n
A newline (linefeed) character.\r
A carriage return character.\t
A tab character.\Z
ASCII 26 (Control-Z). See note following the table.\\
A backslash ("\
") character.\%
A "%
" character. See note following the table.\_
A "_
" character. See note following the table.
相关文章