2015年7月27日 15:37:57go评论76阅读模式

英文:

mysql_real_escape_string equivalent for Golang

问题

我可以帮你翻译以下内容：

我想转义数据库查询的一部分值，但是我不能使用参数化查询。

Go语言是否有类似于PHP的mysql_real_escape_string的函数，可以用来转义查询的值？

英文:

I would like to escape a value that makes up part of a database query, but I can't use parameterized queries.

Does Go have an equivalent of PHP's mysql_real_escape_string I can use to escape the query value?

答案1

得分: 9

我自己想出了一个解决方案来创建这个函数。希望对某人有用。

func MysqlRealEscapeString(value string) string {
    replace := map[string]string{"\\":"\\\\", "'":`\'`, "\func MysqlRealEscapeString(value string) string {
    replace := map[string]string{"\\":"\\\\", "'":`\'`, "\\0":"\\\\0", "\n":"\\n", "\r":"\\r", `"`:`\\"`, "\x1a":"\\Z"}

    for b, a := range replace {
        value = strings.Replace(value, b, a, -1)
    }
    
    return value;
}
":"\\\func MysqlRealEscapeString(value string) string {
    replace := map[string]string{"\\":"\\\\", "'":`\'`, "\\0":"\\\\0", "\n":"\\n", "\r":"\\r", `"`:`\\"`, "\x1a":"\\Z"}

    for b, a := range replace {
        value = strings.Replace(value, b, a, -1)
    }
    
    return value;
}
", "\n":"\\n", "\r":"\\r", `"`:`\\"`, "\x1a":"\\Z"}

    for b, a := range replace {
        value = strings.Replace(value, b, a, -1)
    }
    
    return value;
}

MysqlRealEscapeString是不正确的，因为下面的测试用例将失败

func TestEscape(t *testing.T) {
    mysqlEscapeList := map[string]string{
        "\\": "\\\\", "'": `\'`, "\func TestEscape(t *testing.T) {
    mysqlEscapeList := map[string]string{
        "\\": "\\\\", "'": `\'`, "\\0": "\\\\0", "\n": "\\n", "\r": "\\r", `"`: `\"`, "\x1a": "\\Z"}

    for old, want := range mysqlEscapeList {
        testEscape(t, old, want)
    }
    testEscape(t, `<p>123</p><div><img width="1080" />`, `<p>123</p><div><img width=\"1080\" />`)
}
func testEscape(t *testing.T, origin, want string) {
    escaped := MysqlRealEscapeString(origin)
    assert.Equal(t, want, escaped)
}
": "\\\func TestEscape(t *testing.T) {
    mysqlEscapeList := map[string]string{
        "\\": "\\\\", "'": `\'`, "\\0": "\\\\0", "\n": "\\n", "\r": "\\r", `"`: `\"`, "\x1a": "\\Z"}

    for old, want := range mysqlEscapeList {
        testEscape(t, old, want)
    }
    testEscape(t, `<p>123</p><div><img width="1080" />`, `<p>123</p><div><img width=\"1080\" />`)
}
func testEscape(t *testing.T, origin, want string) {
    escaped := MysqlRealEscapeString(origin)
    assert.Equal(t, want, escaped)
}
", "\n": "\\n", "\r": "\\r", `"`: `\"`, "\x1a": "\\Z"}

    for old, want := range mysqlEscapeList {
        testEscape(t, old, want)
    }
    testEscape(t, `<p>123</p><div><img width="1080" />`, `<p>123</p><div><img width=\"1080\" />`)
}
func testEscape(t *testing.T, origin, want string) {
    escaped := MysqlRealEscapeString(origin)
    assert.Equal(t, want, escaped)
}

使用这个替代方案

func Escape(sql string) string {
    dest := make([]byte, 0, 2*len(sql))
    var escape byte
    for i := 0; i < len(sql); i++ {
        c := sql[i]

        escape = 0

        switch c {
        case 0: /* Must be escaped for 'mysql' */
            escape = '0'
            break
        case '\n': /* Must be escaped for logs */
            escape = 'n'
            break
        case '\r':
            escape = 'r'
            break
        case '\\':
            escape = '\\'
            break
        case '\'':
            escape = '\''
            break
        case '"': /* Better safe than sorry */
            escape = '"'
            break
        case '2': //十进制26,八进制32,十六进制1a, /* This gives problems on Win32 */
            escape = 'Z'
        }

        if escape != 0 {
            dest = append(dest, '\\', escape)
        } else {
            dest = append(dest, c)
        }
    }

    return string(dest)
}

英文:

I came up with my own solution to create the function myself.
Hope it would be useful to someone.

func MysqlRealEscapeString(value string) string {
    replace := map[string]string{&quot;\\&quot;:&quot;\\\\&quot;, &quot;&#39;&quot;:`\&#39;`, &quot;\func MysqlRealEscapeString(value string) string {
replace := map[string]string{&quot;\\&quot;:&quot;\\\\&quot;, &quot;&#39;&quot;:`\&#39;`, &quot;\\0&quot;:&quot;\\\\0&quot;, &quot;\n&quot;:&quot;\\n&quot;, &quot;\r&quot;:&quot;\\r&quot;, `&quot;`:`\&quot;`, &quot;\x1a&quot;:&quot;\\Z&quot;}
for b, a := range replace {
value = strings.Replace(value, b, a, -1)
}
return value;
}
&quot;:&quot;\\\func MysqlRealEscapeString(value string) string {
replace := map[string]string{&quot;\\&quot;:&quot;\\\\&quot;, &quot;&#39;&quot;:`\&#39;`, &quot;\\0&quot;:&quot;\\\\0&quot;, &quot;\n&quot;:&quot;\\n&quot;, &quot;\r&quot;:&quot;\\r&quot;, `&quot;`:`\&quot;`, &quot;\x1a&quot;:&quot;\\Z&quot;}
for b, a := range replace {
value = strings.Replace(value, b, a, -1)
}
return value;
}
&quot;, &quot;\n&quot;:&quot;\\n&quot;, &quot;\r&quot;:&quot;\\r&quot;, `&quot;`:`\&quot;`, &quot;\x1a&quot;:&quot;\\Z&quot;}

    for b, a := range replace {
        value = strings.Replace(value, b, a, -1)
    }
    
    return value;
}

1.MysqlRealEscapeString is not right, as below test case will fail

func TestEscape(t *testing.T) {
	mysqlEscapeList := map[string]string{
		&quot;\\&quot;: &quot;\\\\&quot;, &quot;&#39;&quot;: `\&#39;`, &quot;\func TestEscape(t *testing.T) {
mysqlEscapeList := map[string]string{
&quot;\\&quot;: &quot;\\\\&quot;, &quot;&#39;&quot;: `\&#39;`, &quot;\\0&quot;: &quot;\\\\0&quot;, &quot;\n&quot;: &quot;\\n&quot;, &quot;\r&quot;: &quot;\\r&quot;, `&quot;`: `\&quot;`, &quot;\x1a&quot;: &quot;\\Z&quot;}
for old, want := range mysqlEscapeList {
testEscape(t, old, want)
}
testEscape(t, `&lt;p&gt;123&lt;/p&gt;&lt;div&gt;&lt;img width=&quot;1080&quot; /&gt;`, `&lt;p&gt;123&lt;/p&gt;&lt;div&gt;&lt;img width=\&quot;1080\&quot; /&gt;`)
}
func testEscape(t *testing.T, origin, want string) {
escaped := MysqlRealEscapeString(origin)
assert.Equal(t, want, escaped)
}
&quot;: &quot;\\\func TestEscape(t *testing.T) {
mysqlEscapeList := map[string]string{
&quot;\\&quot;: &quot;\\\\&quot;, &quot;&#39;&quot;: `\&#39;`, &quot;\\0&quot;: &quot;\\\\0&quot;, &quot;\n&quot;: &quot;\\n&quot;, &quot;\r&quot;: &quot;\\r&quot;, `&quot;`: `\&quot;`, &quot;\x1a&quot;: &quot;\\Z&quot;}
for old, want := range mysqlEscapeList {
testEscape(t, old, want)
}
testEscape(t, `&lt;p&gt;123&lt;/p&gt;&lt;div&gt;&lt;img width=&quot;1080&quot; /&gt;`, `&lt;p&gt;123&lt;/p&gt;&lt;div&gt;&lt;img width=\&quot;1080\&quot; /&gt;`)
}
func testEscape(t *testing.T, origin, want string) {
escaped := MysqlRealEscapeString(origin)
assert.Equal(t, want, escaped)
}
&quot;, &quot;\n&quot;: &quot;\\n&quot;, &quot;\r&quot;: &quot;\\r&quot;, `&quot;`: `\&quot;`, &quot;\x1a&quot;: &quot;\\Z&quot;}

	for old, want := range mysqlEscapeList {
		testEscape(t, old, want)
	}
	testEscape(t, `&lt;p&gt;123&lt;/p&gt;&lt;div&gt;&lt;img width=&quot;1080&quot; /&gt;`, `&lt;p&gt;123&lt;/p&gt;&lt;div&gt;&lt;img width=\&quot;1080\&quot; /&gt;`)
}
func testEscape(t *testing.T, origin, want string) {
	escaped := MysqlRealEscapeString(origin)
	assert.Equal(t, want, escaped)
}

use this one instead

func Escape(sql string) string {
	dest := make([]byte, 0, 2*len(sql))
	var escape byte
	for i := 0; i &lt; len(sql); i++ {
		c := sql[i]

		escape = 0

		switch c {
		case 0: /* Must be escaped for &#39;mysql&#39; */
			escape = &#39;0&#39;
			break
		case &#39;\n&#39;: /* Must be escaped for logs */
			escape = &#39;n&#39;
			break
		case &#39;\r&#39;:
			escape = &#39;r&#39;
			break
		case &#39;\\&#39;:
			escape = &#39;\\&#39;
			break
		case &#39;\&#39;&#39;:
			escape = &#39;\&#39;&#39;
			break
		case &#39;&quot;&#39;: /* Better safe than sorry */
			escape = &#39;&quot;&#39;
			break
		case &#39;2&#39;: //十进制26,八进制32,十六进制1a, /* This gives problems on Win32 */
			escape = &#39;Z&#39;
		}

		if escape != 0 {
			dest = append(dest, &#39;\\&#39;, escape)
		} else {
			dest = append(dest, c)
		}
	}

	return string(dest)
}

答案2

得分: 4

如果整个查询 - 或者查询的任何部分超出了单个值 - 是从命令行传递的，那么你就没有需要转义的内容。

mysql_real_escape_string及其类似函数用于对单个值进行清理，以防止在将其插入查询之前，任何可以访问该值的人“突破”并篡改查询本身。

考虑到你将整个查询提供给外部，转义函数无法提高安全性。

在这里，你唯一能做的安全措施是：

在无法造成任何损害的用户上下文中执行查询（例如，你可以在MySQL中按用户基础限制命令）
确保正确捕获和处理查询错误
如上面的评论中Not_a_Golfer所建议的，解析查询以查找任何恶意内容

英文:

If the entire query - or any part of the query that goes beyond a single value - is passed from the command line, there is nothing for you to escape.

mysql_real_escape_string and its cousins are for sanitizing single values, to prevent anyone with access to the value before it is inserted into the query from "breaking out" and fiddling with the query itself.

Given that you are giving access to the entire query to an outside, there is nothing an escape function could do to improve safety.

Your only shot at security here is

executing the query in a user context that can't do any damage (e.g. you can restrict commands on a per-user basis in mySQL)
making sure that query errors are properly caught and dealt with
as Not_a_Golfer suggests in the comments above, parsing the query for anything malicious

答案3

得分: 2

改进的答案：

func MysqlRealEscapeString(value string) string {
	var sb strings.Builder
	for i := 0; i < len(value); i++ {
		c := value[i]
		switch c {
		case '\\', 0, '\n', '\r', '\'', '"':
			sb.WriteByte('\\')
			sb.WriteByte(c)
		case '2':
			sb.WriteByte('\\')
			sb.WriteByte('Z')
		default:
			sb.WriteByte(c)
		}
	}
	return sb.String()
}

英文:

Improved answer:

func MysqlRealEscapeString(value string) string {
	var sb strings.Builder
	for i := 0; i &lt; len(value); i++ {
		c := value[i]
		switch c {
		case &#39;\\&#39;, 0, &#39;\n&#39;, &#39;\r&#39;, &#39;\&#39;&#39;, &#39;&quot;&#39;:
			sb.WriteByte(&#39;\\&#39;)
			sb.WriteByte(c)
		case &#39;2&#39;:
			sb.WriteByte(&#39;\\&#39;)
			sb.WriteByte(&#39;Z&#39;)
		default:
			sb.WriteByte(c)
		}
	}
	return sb.String()
}

答案4

得分: 0

你可以使用预处理查询来实现这个功能。

检索多行数据

stmt, err := db.Prepare("select id, name from users where id = ?")
if err != nil {
	log.Fatal(err)
}
defer stmt.Close()
rows, err := stmt.Query(1)
if err != nil {
	log.Fatal(err)
}
defer rows.Close()
for rows.Next() {
	// ...
}
if err = rows.Err(); err != nil {
	log.Fatal(err)
}

检索单行数据

var name string
err = db.QueryRow("select name from users where id = ?", 1).Scan(&name)
if err != nil {
	log.Fatal(err)
}
fmt.Println(name)

英文:

For this you can use Prepared Queries.

To Retrieve Multiple Rows

stmt, err := db.Prepare(&quot;select id, name from users where id = ?&quot;)
if err != nil {
	log.Fatal(err)
}
defer stmt.Close()
rows, err := stmt.Query(1)
if err != nil {
	log.Fatal(err)
}
defer rows.Close()
for rows.Next() {
	// ...
}
if err = rows.Err(); err != nil {
	log.Fatal(err)
}

To Retrieve Single Row

var name string
err = db.QueryRow(&quot;select name from users where id = ?&quot;, 1).Scan(&amp;name)
if err != nil {
	log.Fatal(err)
}
fmt.Println(name)

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

mysql_real_escape_string equivalent for Golang

问题

答案1

答案2

答案3

答案4

通道作为参数，为什么不用星号呢？

Golang是如何静态类型的，当它也允许不为变量指定任何类型时？

`panic`和`log.Fatalln()`在结果上有什么区别？

为什么使用数组而不是切片？

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论