What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others?
(I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in multiple programming languages, including some obscure ones so solutions such as mysql_real_escape_string
in PHP are not valid)
mysql_real_escape_string()来自 mysql.com 文档:
考虑到连接的当前字符集,from 中的字符串被编码为转义的 SQL 字符串。结果被放入 to 中并附加一个终止空字节。编码的字符有 NUL (ASCII 0)、“\n”、“\r”、“\”、“'”、“"” 和 Control-Z(请参见第 8.1 节“文字值”)。(严格来说, MySQL 仅要求转义反斜杠和用于在查询中引用字符串的引号字符。此函数引用其他字符以使它们更容易在日志文件中读取。)
mysql_real_escape_string()是字符集感知的,因此复制其所有功能(特别是针对多字节攻击问题)并不是一项小工作。
From http://cognifty.com/blog.entry/id=6/addslashes_dont_call_it_a_comeback.html:
AS = addslashes()
MRES = mysql_real_escape_string()
ACS = addcslashes() //called with "\\\000\n\r'\"\032%_"
Feature AS MRES ACS
escapes quote, double quote, and backslash yes yes yes
escapes LIKE modifiers: underscore, percent no no yes
escapes with single quotes instead of backslash no yes*1 no
character-set aware no yes*2 no
prevents multi-byte attacks no yes*3 no
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)