Package org.owasp.esapi.codecs
Class MySQLCodec
- java.lang.Object
-
- org.owasp.esapi.codecs.AbstractCodec<java.lang.Character>
-
- org.owasp.esapi.codecs.AbstractCharacterCodec
-
- org.owasp.esapi.codecs.MySQLCodec
-
- All Implemented Interfaces:
Codec<java.lang.Character>
public class MySQLCodec extends AbstractCharacterCodec
Codec implementation which can be used to escape string literals in MySQL. Implementation accepts 2 Modes as identified by the OWASP Recommended escaping strategies:- ANSI
Simply encode all ' (single tick) characters with '' (two single ticks) - Standard
NUL (0x00) --> \0 [This is a zero, not the letter O] BS (0x08) --> \b TAB (0x09) --> \t LF (0x0a) --> \n CR (0x0d) --> \r SUB (0x1a) --> \Z " (0x22) --> \" % (0x25) --> \% ' (0x27) --> \' \ (0x5c) --> \\ _ (0x5f) --> \_
all other non-alphanumeric characters with ASCII values less than 256 --> \c where 'c' is the original non-alphanumeric character.
- Since:
- June 1, 2007 MySQL 8.0 String Literals OWASP SQL_Injection_Prevention_Cheat_Sheet#MySQL_Escaping
- Author:
- Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
MySQLCodec.Mode
Specifies the SQL Mode the target MySQL Server is running with.
-
Field Summary
Fields Modifier and Type Field Description static int
ANSI_MODE
Target MySQL Server is running in ANSI_QUOTES Modestatic int
MYSQL_MODE
Target MySQL Server is running in Standard MySQL (Default) mode.
-
Constructor Summary
Constructors Constructor Description MySQLCodec(int mode)
Deprecated.MySQLCodec(MySQLCodec.Mode mode)
Instantiate the MySQL Codec with the given SQLMySQLCodec.Mode
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description java.lang.Character
decodeCharacter(PushbackSequence<java.lang.Character> input)
Returns the decoded version of the next character from the input string and advances the current character in the PushbackSequence.java.lang.String
encodeCharacter(char[] immune, java.lang.Character c)
WARNING!!!! Passing a standard char to this method will resolve to the-
Methods inherited from class org.owasp.esapi.codecs.AbstractCharacterCodec
decode
-
Methods inherited from class org.owasp.esapi.codecs.AbstractCodec
containsCharacter, encode, encodeCharacter, encodeCharacter, getHexForNonAlphanumeric, getHexForNonAlphanumeric, toHex, toHex, toOctal
-
-
-
-
Field Detail
-
MYSQL_MODE
public static final int MYSQL_MODE
Target MySQL Server is running in Standard MySQL (Default) mode.- See Also:
- Constant Field Values
-
ANSI_MODE
public static final int ANSI_MODE
Target MySQL Server is running in ANSI_QUOTES Mode
-
-
Constructor Detail
-
MySQLCodec
@Deprecated public MySQLCodec(int mode)
Deprecated.Instantiate the MySQL codec- Parameters:
mode
- Mode has to be one of {MYSQL_MODE|ANSI_MODE} to allow correct encoding- See Also:
MySQLCodec(org.owasp.esapi.codecs.MySQLCodec.Mode)
-
MySQLCodec
public MySQLCodec(MySQLCodec.Mode mode)
Instantiate the MySQL Codec with the given SQLMySQLCodec.Mode
.- Parameters:
mode
- The mode the target server is running in
-
-
Method Detail
-
encodeCharacter
public java.lang.String encodeCharacter(char[] immune, java.lang.Character c)
WARNING!!!! Passing a standard char to this method will resolve to the- Specified by:
encodeCharacter
in interfaceCodec<java.lang.Character>
- Overrides:
encodeCharacter
in classAbstractCodec<java.lang.Character>
- Parameters:
immune
- array of chars to NOT encode. Use with caution.c
- the Character to encode- Returns:
- the encoded Character
- See Also:
method instead of this one!!! YOU HAVE BEEN WARNED!!!!
-
decodeCharacter
public java.lang.Character decodeCharacter(PushbackSequence<java.lang.Character> input)
Returns the decoded version of the next character from the input string and advances the current character in the PushbackSequence. If the current character is not encoded, this method MUST reset the PushbackString. Returns the decoded version of the character starting at index, or null if no decoding is possible. Formats all are legal (case sensitive) In ANSI_MODE '' decodes to ' In MYSQL_MODE \x decodes to x (or a small list of specials)- Specified by:
decodeCharacter
in interfaceCodec<java.lang.Character>
- Overrides:
decodeCharacter
in classAbstractCodec<java.lang.Character>
- Parameters:
input
- the Character to decode- Returns:
- the decoded Character
-
-