开发者

Erlang Mysql: How to prevent SQL Injections

问答 作者:

I'm very new to erlang and I need to code something which inserts rows in a MySQL Database. How can I prevent SQL Injections with Erlang? Is there also something like prepared statements in ot开发者_运维知识库her Languages or how should I do it?

Thanks for your replies.

This answer depends on the driver you are using.

Erlang ODBC has a function param_query that binds a set of parameters to the query and it might also escape all the SQL special characters.

erlang-mysql-driver has prepared statements:

%% Register a prepared statement
mysql:prepare(update_developer_country,
              <<"UPDATE developer SET country=? where name like ?">>),

%% Execute the prepared statement
mysql:execute(p1, update_developer_country, [<<"Sweden">>,<<"%Wiger">>]),

(code from Yariv's blog)

As a last resort you can always escape the characters

 NUL (0x00) --> \0 
 BS  (0x08) --> \b
 TAB (0x09) --> \t
 LF  (0x0a) --> \n
 CR  (0x0d) --> \r
 SUB (0x1a) --> \z
 "   (0x22) --> \"
 %   (0x25) --> \%
 '   (0x27) --> \'
 \   (0x5c) --> \\
 _   (0x5f) --> \_

继续阅读:erlangsqlsql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9