First, escaped meaning
If the user input without any restrictions, then it must be converted to special characters.
If single quotes are not transformed, the light can not perform normal functions, database error re-occurs, and may even lead to a system crash.
Second, the need to escape the character type
In the string, certain sequences have special meaning. These sequences were backslash ( '') begins, i.e., a so-called escape character. MySQL escape sequences identified below:
ASCII 0 (NUL) character.
‘
apostrophe(''').
”
Double quotes('"').
b
Backspace.
n
Newline.
r
Carriage return.
t
tab characters.
FROM
ASCII 26 (control (Ctrl) -Z). The characters can be encoded as 'Z', in order to allow you to solve this problem in Windows, ending ASCII 26 represents the file. (If you try to use mysql db_name <file_name, ASCII 26 will cause problems).
\
Backslash ( '') character.
%
'%'character. Table notes behind.
_
'_'character. Table notes behind.
These sequences are case sensitive. For example, 'b' construed as backspace, but the 'B' interpreted as 'B'.
'%' And '_' Search for sequences might be interpreted as a wildcard matching pattern '%' and '_' character instance environment. Please note that if you use in other environments '%' or '_', which returns the string '%' and '_' instead of '%' and '_'.
In other escape sequences, backslash is ignored. In other words, if the escape character is not interpreted as an escape.
There are several ways to include characters in the string:
Used in the character string '' 'reference' '' may be written as' ''.
Used in the character string '' 'reference' '' may be written as "" " '.
Escape character can be added quotation marks ( '').
Used in the character string '' 'reference' '' does not require special treatment, no double or escape character. Similarly, the string used in a '' reference '' 'does not require special handling.
The following SELECT statement shows how references and escaping work:
mysql> SELECT ‘hello’, ‘”hello”‘, ‘””hello””‘, ‘hel”lo’, ”hello’;
+——-+———+———–+——–+——–+
| hello | "Hello" | "" Hello "" | hel'lo | 'Hello |
+——-+———+———–+——–+——–+
mysql> SELECT “hello”, “‘hello'”, “”hello””, “hel””lo”, “”hello”;
+——-+———+———–+——–+——–+
| hello | 'Hello' | "Hello" | hel "lo | "Hello |
+——-+———+———–+——–+——–+
mysql> SELECT ‘ThisnIsnFournLines’;
+——————–+
| This
Is
Four
Lines |
+——————–+
mysql> SELECT ‘disappearing backslash’;
+————————+
| disappearing backslash |
+————————+
If you want to insert binary data (such as BLOB) column in the string, the following characters must be represented by escape sequences:
NO
NUL byte (ASCII 0). By '' indicates the character (with a backslash ASCII'0 'character).
Backslash (ASCII 92). With '\' represents the character.
‘
Single quotation marks (ASCII 39). A '' 'represents the character.
”
Double quotes (ASCII 34). With '' 'represents the character.
When writing an application before, these special characters in a string that contains the data values sent to the MySQL server's SQL statement, they must be properly escaped. It can be done in two ways:
String processing function escapes special characters. For example, in C programs, may be used mysql_real_escape_string () C API function to escape characters. See Section 25.2.3.52, "mysql_real_escape_string ()". Perl DBI interface provides a quote method to convert special characters to the proper escape sequences. See Section 25.4, "MySQL Perl API".
Explicit escape special characters, many MySQL API provides a placeholder feature allows you to insert special markers in the query string, and then, when you issue a query data values to bind with them. In this case, API concerned about the escape value special characters.
3, the specific application
(1) single quotes
However, avoidance method is very simple, just a single quote [ '] is converted into two single quotation [ "] it.
例:SELECT * FROM TBL WHERE COL = ‘ABC”DEF’;
(2) wildcard
Although SQL query statement is vague error does not occur, but not to avoid it, you can not get the value you want to retrieve.
Workaround complex than single quotes. You need to use the escape character. The [%] into [/%], [_] Switch [/ _],
Then add [ESCAPE '/'] it.
例:SELECT * FROM TBL WHERE COL LIKE ‘ABC/%/_%’ ESCAPE ‘/’;
The last one percent is a wildcard.
(3) full-width characters
If the Japanese do the project, then there will be a full-width characters [%], [_],
This two-byte characters will be the same as the half-width wildcard. Therefore, when the conversion, while the need for full width [%], [_] transformed.
例:SELECT * FROM TBL WHERE COL LIKE ‘ABC/%/_/%/_%’ ESCAPE ‘/’;
(4) escapes
Into this seemed to be over, but do not forget there is an escape character itself, if users enter the escape character, then,
The above process will be SQL error occurred. So it must be converted to escape. The conversion method is [/] is converted to [@].
例:SELECT * FROM TBL WHERE COL LIKE ‘ABC/%/_/%///_%’ ESCAPE ‘/’;
(5) the type of character
The above operations are directed to a general type of data, such as CHAR, VARCHAR2.
If the NCHAR, NVARCHAR2, then the above process will ORA-01425 errors.
If you change the wording, ORA-01424 error occurs.
SELECT * FROM TBL WHERE COL LIKE ‘%/_%’ ESCAPE TO_NCHAR(‘/’)
The correct wording should be
SELECT * FROM TBL WHERE COL LIKEC ‘%/_%’ ESCAPE TO_NCHAR(‘/’)
(6) fuzzy query like
Finally, note that each should write like ESCAPE statement.
Example:
SELECT * FROM TBL
WHERE COL1 LIKE ‘%/_%’ ESCAPE ‘/’ OR COL2 LIKE ‘%/_%’ ESCAPE ‘/’
SQL> select * from test;
TEST
——————–
sdd_kk
d’d
dfsfsa
dffa% asfs
12345
1%2345
1%54321
2%54321
%%54321
A&B
9 rows selected.
(7) special characters
Which contain special characters%, respectively, _, & and so on, they are likely to contain data for these characters contain errors or need to find data that contains these characters.
SQL> select * from test where test like ‘sdd _%’ escape ‘ ‘;
TEST
——————–
sdd_kk
1) is the escape character '' (blank);
SQL> select * from test where test like ‘sdd/_%’ escape ‘/’;
TEST
——————–
sdd_kk
