mysql的escape character指的是需要转义的特殊字符,这些字符出现在sql语句中,如果没有转移会导致sql语法报错或者有sql注入攻击的可能。
主要有以下几种都需转义:
\x00, \n, \r, \, ‘, " and \x1a.
下面是sql测试:
mysql> INSERT INTO nodes(name) VALUES (‘select a.dt, count(*), count(distinct a.uv) from (select dt, case when p2 in (‘04‘, ‘06‘)‘) ; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘04‘, ‘06‘)‘)‘ at line 1
解决方法是在前面加上\
INSERT INTO nodes(name) VALUES (‘select a.dt, count(*), count(distinct a.uv) from (select dt, case when p2 in (\‘04\‘, \‘06\‘)‘); Query OK, 1 row affected (0.04 sec)
mysql_real_escape_string
(import libmysqlclient "mysql_real_escape_string")
> (load "/opt/newlisp_util/mysql.lsp") MAIN > (setf db-src (Mysql)) (Mysql 27962464) > (:escape db-src "select dt, case when p2 in (‘04‘, ‘06‘)") "select dt, case when p2 in (\\‘04\\‘, \\‘06\\‘)\000
也可以使用:query的高级形式:
;; (:query db ‘("SELECT id FROM employees WHERE name = %s" ‘("Johnson, John")))
;; ; SQL generated: SELECT id FROM employees WHERE name = ‘Johnson, John‘
;; => (MysqlResult 1069216)只需要将值组成list,然后作为最后一个参数传递给query函数。
newLISP处理mysql escape character
原文地址:http://blog.csdn.net/csfreebird/article/details/42936419
