Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
524 views
in Technique[技术] by (71.8m points)

mysql - What characters have to be escaped to prevent (My)SQL injections?

I'm using MySQL API's function

mysql_real_escape_string()

Based on the documentation, it escapes the following characters:







'
"

Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):

        """
        Encodes a character for MySQL.
        """
        lookup = {
        0x00 : "\0",
        0x08 : "\b",
        0x09 : "\t",
        0x0a : "\n",
        0x0d : "\r",
        0x1a : "\Z",
        0x22 : '"',
        0x25 : "\%",
        0x27 : "\'",
        0x5c : "",
        0x5f : "\_",
        }

Now, I'm wondering whether all those characters are really needed to be escaped. I understand why % and _ are there, they are meta characters in LIKE operator, but I can't simply understand why did they add backspace and tabulator characters ( )? Is there a security issue if you do a query:

SELECT a FROM b WHERE c = '...user input ...';

Where user input contains tabulators or backspace characters?

My question is here: Why did they include in the ESAPI security library? Are there any situations where you might need to escape those characters?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

A guess concerning the backspace character: Imagine I send you an email "Hi, here's the query to update your DB as you wanted" and an attached textfile with

INSERT INTO students VALUES ("Bobby Tables",12,"abc",3.6);

You cat the file, see it's okay, and just pipe the file to MySQL. What you didn't know, however, was that I put

DROP TABLE students;

before the INSERT STATEMENT which you didn't see because on console output the backspaces overwrote it. Bamm!

Just a guess, though.

Edit (couldn't resist):

alt text


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...