Class MySQLCodec

  • All Implemented Interfaces:
    Codec<java.lang.Character>

    public class MySQLCodec
    extends AbstractCharacterCodec
    Codec implementation which can be used to escape string literals in MySQL.
    Implementation accepts 2 Modes as identified by the OWASP Recommended escaping strategies:
    • ANSI
      Simply encode all ' (single tick) characters with '' (two single ticks)

    • Standard
         NUL (0x00) --> \0  [This is a zero, not the letter O]
         BS  (0x08) --> \b
         TAB (0x09) --> \t
         LF  (0x0a) --> \n
         CR  (0x0d) --> \r
         SUB (0x1a) --> \Z
         "   (0x22) --> \"
         %   (0x25) --> \%
         '   (0x27) --> \'
         \   (0x5c) --> \\
         _   (0x5f) --> \_ 
         
      all other non-alphanumeric characters with ASCII values less than 256 --> \c where 'c' is the original non-alphanumeric character.
    Since:
    June 1, 2007 MySQL 8.0 String Literals OWASP SQL_Injection_Prevention_Cheat_Sheet#MySQL_Escaping
    Author:
    Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
    • Constructor Detail

      • MySQLCodec

        public MySQLCodec​(MySQLCodec.Mode mode)
        Instantiate the MySQL Codec with the given SQL MySQLCodec.Mode.
        Parameters:
        mode - The mode the target server is running in
    • Method Detail

      • decodeCharacter

        public java.lang.Character decodeCharacter​(PushbackSequence<java.lang.Character> input)
        Returns the decoded version of the next character from the input string and advances the current character in the PushbackSequence. If the current character is not encoded, this method MUST reset the PushbackString. Returns the decoded version of the character starting at index, or null if no decoding is possible. Formats all are legal (case sensitive) In ANSI_MODE '' decodes to ' In MYSQL_MODE \x decodes to x (or a small list of specials)
        Specified by:
        decodeCharacter in interface Codec<java.lang.Character>
        Overrides:
        decodeCharacter in class AbstractCodec<java.lang.Character>
        Parameters:
        input - the Character to decode
        Returns:
        the decoded Character