在 SQL 中必须转义哪些正则表达式字符？

Question

To prevent SQL injection attack, the book "Building Scalable Web Sites" has a function to replace regular expression characters with escaped version:

function db_escape_str_rlike($string) {
    preg_replace("/([().\[\]*^\$])/", '\\\$1', $string);
}

Does this function escape ( ) . [ ] * ^ $ ? Why are only those characters escaped in SQL?

Answer 1

I found an excerpt from the book you mention , and found that the function is not for escaping to protect against SQL injection vulnerabilities. I assumed it was, and temporarily answered your question with that in mind. I think other commenters are making the same assumption.

The function is actually about escaping characters that you want to use in regular expressions. There are several characters that have special meaning in regular expressions, so if you want to search for those literal characters, you need to escape them (precede with a backslash).

This has little to do with SQL. You would need to escape the same characters if you wanted to search for them literally using grep , sed , perl , vim , or any other program that uses regular expression searches.

Answer 2

Unfortunately, active characters in sql databases is an open issue. Each database vendor uses their own (mainly oracle's mysql, that uses \\ escape sequences)

The official SQL way to escape a ' , which is the string delimiter used for values is to double the ' , as in '' .

That should be the only way to ensure transparency in SQL statements, and the only way to introduce a proper ' into a string. As soon as any vendor admits \\' as a synonim of a quote, you are open to support all the extra escape sequences to delimit strings. Suppose you have:

'Mac O''Connor' (should go into "Mac O'Connor" string)

and assume the only way to escape a ' is that... then you have to check the next char when you see a ' for a '' sequence and:

• you get '' that you change into ' .
• you get another, and you terminate the string literal and process the char as the first of the next token.

But if you admit \\ as escape also, then you have to check for \\' and for \\\\' , and \\\\\\' (this last one should be converted to \\' on input) etc. You can run into trouble if you don't detect special cases as

• \\'' (should the '' be processed as SQL mandates, or the first \\' is escaping the first ' and the second is the string end quote?)
• \\\\'' (should the \\\\ be converted into a single \\ then the ' should be the string terminator, or do we have to switch to SQL way of encoding and consider '' as a single quote?)

etc.

You have to check your database documentation to see if \\ as escape characters affect only the encoding of special characters (like control characters or the like) and also affects the interpretation of the quote character or simply doesn't, and you have to escape ' the other way.

That is the reason for the vendors to include functions to do the escape/unescape of character literals into values to be embedded in a SQL statement. The idea of the attackers is to include (if you don't properly do) escape sequences into the data they post to you to see if that allows them to modify the text of the sql command to simply add a semicolon ; and write a complete sql statement that allows them to access freely your database.