java mysql escape_Java的等效PHP的mysql_real_escape_string()

最新推荐文章于 2021-11-30 16:37:38 发布
最新推荐文章于 2021-11-30 16:37:38 发布
阅读量166 收藏
点赞数
文章标签: java mysql escape
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_28481133/article/details/113214681
版权

bd96500e110b49cbb3cd949968f18be7.png

Is there a Java equivalent to PHP's mysql_real_escape_string() ?

This is to escape SQL injection attempts before passing them to Statement.execute().

I know I can use PreparedStatement instead, but let's assume these are one shot statements so preparing them will result in lower performance. I've already changed the code to use PreparedStatement but given the way the existing code was structured, an escape() function would make the code changes much simpler to review and maintain; I prefer easy to maintain code unless there is a compelling reason for the extra complexity. Also PreparedStatements are handled differently by the database, so this could expose us to bugs in the database that we haven't run into before, requiring more testing before releasing to production.

Postscript:

There are a lot of subtleties in the environment I inherited that I deliberately avoided in my question.

Two points to consider:

1) Prepared statements are not a panacea and do not provide 100% protection against SQL injection. Some database drivers instantiate parameterised queries using unsafe string concatenation, rather than pre-compiling the query to a binary form. Also, if your SQL relies on stored procedures, you need to ensure the stored procedures do not themselves build queries in unsafe ways.

2) Most prepared statement implementation bind the statement to the database connection the statement was instantiated on. If you are using database connection pooling, you need to be careful to

use the prepared statement reference only with the connection it was prepared on. Some pooling mechanisms do implement this transparently. Otherwise you could pool the prepared statements as well or (simplest but more overhead) create a new prepared statement for every query.

解决方案

As far as I know, there is no "standard" way to do it.

I strongly suggest using prepared statements despite your current concerns. The performance impact is going to be negligible - we have a similar situation with several thousand statements per second - most of them one-shots as well.

The security you gain should be weighed much higher than a performance problem you have not even seen yet. In my opinion this is a clear situation of "Don't optimize prematurely".

In any case should you really find out later that you run into performance problems, make sure that the prepared statements are really the cause by profiling carefully and then look for alternatives. Till then you should save yourself the hassle of trying to get the escaping right.

This is even more important as I infer you are developing some sort of public facing site - internal apps seldom get enough traffic to be concerned about performance anyway.

林葭音
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
PHP函数addslashes和mysql_real_escape_string的区别
10-26
主要介绍了PHP函数addslashes和mysql_real_escape_string的区别,以及一个SQL注入漏洞介绍,需要的朋友可以参考下
php mysql_real_escape_string函数用法与实例教程
10-26
mysql_real_escape_string() 函数用来转义SQL语句中使用的字符串中的特殊字符
mysql real java_Java等价于PHPmysql_real_escape_string()
weixin_35750747的博客
01-19 181
有没有Java相当于PHPmysql_real_escape_string()?这是在将它们传递给Statement.execute()之前,先转义SQL注入尝试.我知道我可以使用PreparedStatement,但是我们假设这些是一个镜头的语句,所以准备它们将导致lower performance.我已经改变了使用PreparedStatement的代码,但是给定了现有代码的结构,escap...
mysql_escape_string()函数用法分析
10-22
主要介绍了mysql_escape_string()函数用法,结合实例形式讲述了mysql_escape_string()函数的功能,并分析了mysql_escape_string的使用技巧与注意事项,需要的朋友可以参考下
mysql real java_PHP中的mysql_real_escape_string函数
weixin_33573700的博客
02-07 97
根据你的使用目的我觉得这个函数有两方面的用途:防止SQL Injection攻击,也就是你必须验证用户的输入操作数据的时候避免不必要的字符导致错误mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。下列字符受影响:\x00\n\r\'"\x1a如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。攻击的例子[1]例子 1$con =...
java mysql escape_java程序:mysql特殊字符处理
weixin_39625709的博客
02-06 128
package test;import java.util.HashMap;import java.util.Map;public class MYSQLEncoder {private static Map referencesMap = new HashMap();static{referencesMap.put("'","//'");referencesMap.put("/"","///""...
mysql real java_mysql_real_escape_string(): Access denied in DB insert
weixin_42361153的博客
01-27 86
I am trying to use a legacy MediaWiki extension on PHP 5.6 and later versions, and it fails when it comes to DB inserts.And yes, this is not a duplicate, as the code is different.The full error was:Wa...
java mysql escape_MYSQL escape用法--转义
weixin_32902659的博客
01-19 186
在sql like语句中,比如select * from user where username like '%nihao%',select * from user where username like '_nihao',其中%做为通配符通配多个,_作为通配符通配一个如果要真的去查询username中含有 % _ 的,需要使他们不再作为通配符将% _ 在like中转义,拿_为例,转义前:sele...
php mysql_real_escape_string addslashes及mysql绑定参数防SQL注入攻击
10-20
主要介绍了php mysql_real_escape_string addslashes及mysql绑定参数防SQL注入攻击的相关资料,需要的朋友可以参考下
mysql_real_escape_string java,mysql_real_escape_string()的实际作用是什么?
weixin_39847034的博客
01-26 95
One thing that I hate about documentation at times (when you're a beginner) is how it doesn't really describe things in english. Would anyone mind translating this documentation for me? I'd like to kn...
深入escape_string for Mysql
kendyhj9999的专栏
03-26 744
http://zone.wooyun.org/content/2413 继续发老文档,这片是我09年分析PHP宽字节绕过addslashes等常用SQL注入过滤语句时写的分析文档。刚才发struts那篇文档,这篇一并发上来,充实一下PHP区的内容。  同样请各位注意,这篇文档的内容是09年的,当时甚至还有用PHP4的,可能有部分过时,查看时请注意分辨。  Author: wofeiw
escape mysql_mysql_escape_string()函数用法分析
weixin_36314117的博客
01-18 549
本文实例讲述了mysql_escape_string()函数用法。,具体如下:使用 mysql_escape_string() 对查询中有疑问的数据进行编码:有一些数据例如:char query(1024);sprintf (query, "select * from my_tbl where name = '%s'",name);如果这个时候,name 中包含了如: "0'Malley,Bria...
mysql_real_escape_stringmysql_escape_string有什么本质的区别,有什么用处,为什么被弃用?
joshua317的博客
09-08 2887
本文为joshua317原创文章,转载请注明:转载自joshua317博客https://www.joshua317.com/article/48 mysql_real_escape_stringmysql_escape_string有什么本质的区别,有什么用处,为什么被弃用? 1.官方说明: 1.1 mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5) mysql_real_escape_string — 转义 SQL 语句中使用的字符串中的.
MYSQL escape用法
热门推荐
lovely9862的专栏
12-01 1万+
在sql like语句中,比如 select * from user where username like '%nihao%',select * from user where username like '_nihao', 其中%做为通配符通配多个,_作为通配符通配一个 如果要真的去查询username中含有 % _ 的,需要使他们不再作为通配符 将% _ 在like中转义,拿
mysql_real_escape_string 什么时候会返回false
微信公众平台开发
06-05 1188
今天遇到一个奇葩的问题
mysql_real_escape_stringmysql_escape_string区别
weixin_33938733的博客
11-21 1131
2019独角兽企业重金招聘Python工程师标准>>> ...
MYSQL mysql_real_escape_string和addslashe区别
橙色卡布奇诺
08-04 3794
mysql_real_escape_string(); addslashes();以上两个都是服务器发送的转义字符,都是为了使数据安全的插入到数据库中而进行过滤.那么这两个函数到底是有什么区别呢?? 从PHP手册上查看 mysql_real_escape_string – 转义 SQL 语句中使用的字符串中的特殊字符,并考虑到连接的当前字符集。 注意: mysql_real_escape_s
java使用mysqlescape遇到的坑
qq_40835969的博客
11-30 1338
1、escape只能对指定符号后的第一位进行不转义处理 当你的语句是like ‘%%’ escape ‘\\’ 的话第二个%还是会被当成多字符匹配的特殊字符,只有当like ‘%%’ escape ‘\\’ 时才能达到查询用两个%号的数据。 2、基于1条件,我们在代码里就需要对所有特殊字符进行一个replace的操作,给所有特殊字符前加\\, be like:string1.replace("%","\\%").replace("/","\\/").replace("\\","\\\\") 看起来好像没问题
mysql_real_escape_stringmysqli_real_escape_string
最新发布
05-29
`mysql_real_escape_string` 和 `mysqli_real_escape_string` 都是用于防止 SQL 注入的函数,但是它们有一些区别。 `mysql_real_escape_string` 是用于 MySQL 扩展库的函数,它可以将某些特殊字符(例如单引号、双...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值