Richard..
6
您需要以下代码.乍一看,这可能看起来像我编写的任何旧代码.但是,我所做的是查看http://grepcode.com/file/repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.31/com/mysql/jdbc/PreparedStatement的源代码. java.然后,我仔细查看了setString(int parameterIndex,String x)的代码,找到它转义的字符,并将其自定义为我自己的类,以便它可以用于您需要的目的.毕竟,如果这是Oracle逃脱的字符列表,那么知道这一点在安全方面确实令人感到安慰.也许Oracle需要一个推动,为下一个主要的Java版本添加类似于这个的方法.
public class SQLInjectionEscaper {
public static String escapeString(String x, boolean escapeDoubleQuotes) {
StringBuilder sBuilder = new StringBuilder(x.length() * 11/10);
int stringLength = x.length();
for (int i = 0; i < stringLength; ++i) {
char c = x.charAt(i);
switch (c) {
case 0: /* Must be escaped for 'mysql' */
sBuilder.append('\\');
sBuilder.append('0');
break;
case '\n': /* Must be escaped for logs */
sBuilder.append('\\');
sBuilder.append('n');
break;
case '\r':
sBuilder.append('\\');
sBuilder.append('r');
break;
case '\\':
sBuilder.append('\\');
sBuilder.append('\\');
break;
case '\'':
sBuilder.append('\\');
sBuilder.append('\'');
break;
case '"': /* Better safe than sorry */
if (escapeDoubleQuotes) {
sBuilder.append('\\');
}
sBuilder.append('"');
break;
case '\032': /* This gives problems on Win32 */
sBuilder.append('\\');
sBuilder.append('Z');
break;
case '\u00a5':
case '\u20a9':
// escape characters interpreted as backslash by mysql
// fall through
default:
sBuilder.append(c);
}
}
return sBuilder.toString();
}
}
我认为这段代码是上述链接中反编译的源代码版本.现在在更新的`mysql-connector-java-xxx`中,`case'\ u00a5'`和`case'\ u20a9'`语句似乎已被删除 (2认同)