What characters have to be escaped to prevent (My)SQL injections?

0 votes
asked Jul 6, 2009 by tower

I'm using MySQL API's function


Based on the documentation, it escapes the following characters:


Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py):

        Encodes a character for MySQL.
        lookup = {
        0x00 : "\\0",
        0x08 : "\\b",
        0x09 : "\\t",
        0x0a : "\\n",
        0x0d : "\\r",
        0x1a : "\\Z",
        0x22 : '\\"',
        0x25 : "\\%",
        0x27 : "\\'",
        0x5c : "\\\\",
        0x5f : "\\_",

Now, I'm wondering whether all those characters are really needed to be escaped. I understand why % and _ are there, they are meta characters in LIKE operator, but I can't simply understand why did they add backspace and tabulator characters (\b \t)? Is there a security issue if you do a query:

SELECT a FROM b WHERE c = '...user input ...';

Where user input contains tabulators or backspace characters?

My question is here: Why did they include \b \t in the ESAPI security library? Are there any situations where you might need to escape those characters?

6 Answers

0 votes
answered Jul 6, 2009 by balpha

A guess concerning the backspace character: Imagine I send you an email "Hi, here's the query to update your DB as you wanted" and an attached textfile with

INSERT INTO students VALUES ("Bobby Tables",12,"abc",3.6);

You cat the file, see it's okay, and just pipe the file to MySQL. What you didn't know, however, was that I put

DROP TABLE students;\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b

before the INSERT STATEMENT which you didn't see because on console output the backspaces overwrote it. Bamm!

Just a guess, though.

Edit (couldn't resist):

alt text

0 votes
answered Jul 6, 2009 by cheekysoft

Blacklisting (identifying bad characters) is never the way to go, if you have any other options.

You need to use a conbination of whitelisting, and more importantly, bound-parameter approaches.

Whilst this particular answer has a PHP focus, it still helps plenty and will help explain that just running a string through a char filter doesn't work in many cases. Please, please see Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

0 votes
answered Jul 6, 2009 by gumbo

The MySQL manual page for strings says:

  • \0   An ASCII NUL (0x00) character.
  • \'   A single quote (“'”) character.
  • \"   A double quote (“"”) character.
  • \b   A backspace character.
  • \n   A newline (linefeed) character.
  • \r   A carriage return character.
  • \t   A tab character.
  • \Z   ASCII 26 (Control-Z). See note following the table.
  • \\   A backslash (“\”) character.
  • \%   A “%” character. See note following the table.
  • \_   A “_” character. See note following the table.
0 votes
answered Jul 1, 2014 by your-common-sense

Where user input contains tabulators or backspace characters?

It's quite remarkable a fact that up to this day most users do believe that it's user input have to be escaped, and such escaping "prevents injections".

0 votes
answered Sep 15, 2017 by jarett-l

couldn't one just delete the single quote(s) from user input?

eg: $input =~ s/\'|\"//g;

0 votes
answered Sep 15, 2017 by crae

Java solution:

public static String filter( String s ) {
    StringBuffer buffer = new StringBuffer();
    int i;

    for( byte b : s.getBytes() ) {
        i = (int) b;

        switch( i ) {
            case  9 : buffer.append( "    " ); break;
            case 10 : buffer.append( "\\n"  ); break;
            case 13 : buffer.append( "\\r"  ); break;
            case 34 : buffer.append( "\\\"" ); break;
            case 39 : buffer.append( "\\'"  ); break;
            case 92 : buffer.append( "\\"   );

            if( i > 31 && i < 127 ) buffer.append( new String( new byte[] { b } ) );

    return buffer.toString();
Welcome to Q&A, where you can ask questions and receive answers from other members of the community.
Website Online Counter