通过Bash脚本语言逃避MYSQL命令行。

PHP has mysql_real_escape_string() to correctly escape any characters that might cause problems. What is the best way to mimic this functionality for BASH?

PHP具有mysql_real_escape_string()以正确转义任何可能导致问题的字符。模拟BASH的这种功能的最佳方法是什么?

Is there anyway to do prepared mysql statements using bash? This seems to be the best way.

使用bash是否有准备好的mysql语句?这似乎是最好的办法。

Most of my variables won't (shouldn't) have special characters, however I give the user complete freedom for their password. It may include characters like ' and ".

我的大多数变量不会(不应该)有特殊的字符，但是我给了用户完全自由的密码。它可能包括“和”这样的角色。

I may be doing multiple SQL statements so I'll want to make a script that takes in parameters and then runs the statement. This is what I have so far:

我可能正在做多个SQL语句，所以我想要创建一个脚本，它接收参数，然后运行语句。这是我目前所拥有的:

doSQL.sh:

#!/bin/sh

SQLUSER="root"
SQLPASS="passwor339c"
SQLHOST="localhost"

SQL="$1"
SQLDB="$2"


if [ -z "$SQL" ]; then echo "ERROR: SQL not defined"; exit 1; fi
if [ -z "$SQLDB" ]; then SQLDB="records"; fi

echo "$SQL" | mysql -u$SQLUSER -p$SQLPASS -h$SQLHOST $SQLDB

and an example using said command:

还有一个使用上述命令的例子:

example.sh:

PASSWORD=$1
doSQL "INSERT INTO active_records (password) VALUES ('$PASSWORD')"

Obviously this would fail if the password password contained a single quote in it.

显然，如果密码中包含一个引号，这将失败。

5 个解决方案

#1

In Bash, printf can do the escaping for you:

在Bash中，printf可以为您做转义:

$ a=''\''"\;:#[]{}()|&^$@!?, .<>abc123'
$ printf -v var "%q" "$a"
$ echo "$var"
\'\"\\\;:#\[\]\{\}\(\)\|\&\^\$@\!\?\,\ .\<\>abc123

I'll leave it to you to decide if that's aggressive enough.

我让你来决定这是否足够激进。

5 个解决方案

#1

更多相关文章

随机推荐