PHPã§ãƒ¦ãƒ‹ã‚³ãƒ¼ãƒ‰ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—(unicode_encode, unicode_decode代替) - ã¯ã¦æ—¥è¨˜
PHP6ã‹ã‚‰ã¯ unicode_encode() 関数㨠unicode_decode() 関数ãŒè¿½åŠ ã•ã‚Œã‚‹ã‚‰ã—ã„ã®ã§ã™ãŒã€PHP5ã‚„PHP4ã§ãƒ¦ãƒ‹ã‚³ãƒ¼ãƒ‰ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã‚’ã—ãŸã„時ã®ãŸã‚ã«ã€‚ // UTF-8æ–‡å—列をUnicodeエスケープã™ã‚‹ã€‚ãŸã ã—英数å—ã¨è¨˜å·ã¯ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã—ãªã„。 function unicode_decode($str) { return preg_replace_callback("/((?:[^\x09\x0A\x0D\x20-\x7E]{3})+)/", "decode_callback", $str); } function decode_callback($matches) { $char = mb_convert_encoding($matches[1], "UTF-16", "UTF-8"); $escaped = ""; for ($i = 0, $l =
『[Oracle] LIKE 検索ã§ã¯å…¨è§’ã®'ï¼…'ã€'_'も特殊文å—ã¨ã—ã¦æ‰±ã‚れる?ã€
SQL 㧠LIKE æ¡ä»¶ã‚’使ã†ã¨ãƒ‘ターン一致検索ãŒå®Ÿè¡Œã§ãã¾ã™ã€‚ ã“ã®æ™‚ã€'%'ã¨'_'ã¯ãã‚Œãžã‚Œä»»æ„ã®æ–‡å—列ã€ä»»æ„ã®ï¼‘æ–‡å—を表ã™ç‰¹æ®Šæ–‡å—ã¨ã—ã¦æ‰±ã‚ã‚Œã¾ã™ã€‚ ã—ãŸãŒã£ã¦ã€'%'ã‚„'_'ã¨ã„ã†æ–‡å—を検索ã—ãŸã„å ´åˆã¯ã€ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—æ–‡å—を使用ã—ã¦ã€æ–‡å—ã¨ã—ã¦ã®'%'ã€'_'ã§ã‚ã‚‹ã“ã¨ã‚’明示ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ 例ãˆã°ã€COL1 ã«'_'ã‚’å«ã‚€ TBL1 ã®ãƒ¬ã‚³ãƒ¼ãƒ‰ã‚’検索ã—ãŸã„å ´åˆã¯ä»¥ä¸‹ã®ã‚ˆã†ã«è¨˜è¿°ã—ã¾ã™ã€‚ SELECT * FROM TBL1 WHERE COL1 LIKE '%\_%' ESCAPE '\' ã¨ã€ã“ã“ã¾ã§ã¯ SQL ã®å¸¸è˜ã§ã™ã€‚ ã—ã‹ã—ã€å®Ÿã¯ã“ã®'%'ã¨'_'ã€å…¨è§’ã®'ï¼…'ã€'_'ã§ã‚‚ã‚„ã¯ã‚Šç‰¹æ®Šæ–‡å—ã¨ã—ã¦èªè˜ã•ã‚Œã¦ã—ã¾ã†ã®ã§ã™ã€‚ ã¤ã¾ã‚Šã€ SELECT * FROM TBL1 WHERE COL1 LIKE '%_%' ã¨è¨˜è¿°ã™ã‚‹ã¨ã€â€ä»»æ„ã®ï¼‘æ–‡å—ã‚’å«ã‚€â€ã¨ãªã‚Šã¾ã™ã®ã§ã€Nul
![『[Oracle] LIKE 検索ã§ã¯å…¨è§’ã®'ï¼…'ã€'_'も特殊文å—ã¨ã—ã¦æ‰±ã‚れる?ã€](https://cdn-ak-scissors.b.st-hatena.com/image/square/ed239427f781d723ae5cf65616a522073f68d378/height=288;version=1;width=512/https%3A%2F%2Fstat.profile.ameba.jp%2Fprofile_images%2F31%2Farchive-redo-blog%2F1180840362506.jpg)
「\%fooã€ã‹ã‚‰å§‹ã¾ã‚‹æ–‡å—列を検索ã™ã‚‹ã‚¯ã‚¨ãƒªã‚’ãƒãƒ¼ãƒ‰ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã™ã‚‹ - ockeghem's blog
SQLã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã¨èžã„ã¦ã‚„ã£ã¦ãã¾ã—ãŸã‚ˆã€‚2008-07-10 - T.Teradaã®æ—¥è¨˜ã‹ã‚‰ 例ãˆã°ã€ã€Œ\%fooã€ã‹ã‚‰å§‹ã¾ã‚‹æ–‡å—列を検索ã™ã‚‹å ´åˆã«ã¯ã€ã©ã®ã‚ˆã†ãªSQL文を書ã‘ã°ã‚ˆã„ã®ã§ã—ょã†ã‹ã€‚ æ¡ä»¶ã¯ä»¥ä¸‹ã®é€šã‚Šã§ã™ã€‚ 1. DBMSソフトã¯MySQL 2. ESCAPE節ã¯ä½¿ã‚ãªã„ ã€ä¸ç•¥ã€‘ 「\%fooã€ã‹ã‚‰å§‹ã¾ã‚‹æ–‡å—列を検索ã™ã‚‹SQLæ–‡ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ mysql> SELECT 123 FROM dual WHERE '\\%foo456' LIKE '\\\\\\%foo%'; MySQLã®å ´åˆã€æ–‡å—列リテラルã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã¨LIKE述語ã®ãƒ¯ã‚¤ãƒ«ãƒ‰ã‚«ãƒ¼ãƒ‰(「%ã€ã€ã€Œ_ã€)ã«å¯¾ã™ã‚‹ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã®ä¸¡æ–¹ã«ã€Œ\ã€ã‚’使ã†ã®ã§ã€ã“ã†ã„ã†ã‚„ã‚„ã“ã—ã„ã“ã¨ã«ãªã‚Šã¾ã™ã。T.Teradaã•ã‚“ãŒæ›¸ã‹ã‚Œã¦ã„るよã†ã«ã€ä»¥ä¸‹ã®ã‚ˆã†ã«è€ƒãˆã‚‹ã®ãŒã‚ˆã„ã¨æ€ã„ã¾ã™ã€‚ LIKEã«ä¸Žãˆã‚‹æ–‡å—列ã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—処
SQLエスケープã«ãŠã‘る「\ã€ã®å–り扱ã„
補足 ã“ã®è¨˜äº‹ã¯æ—§å¾³ä¸¸æµ©ã®æ—¥è¨˜ã‹ã‚‰ã®è»¢è¼‰ã§ã™ã€‚å…ƒURLã€ã‚¢ãƒ¼ã‚«ã‚¤ãƒ–ã€ã¯ã¦ãªãƒ–ックマーク1ã€ã¯ã¦ãªãƒ–ックマーク2。 備忘ã®ãŸã‚転載ã„ãŸã—ã¾ã™ãŒã€ã“ã®è¨˜äº‹ã¯2008å¹´6月2æ—¥ã«å…¬é–‹ã•ã‚ŒãŸã‚‚ã®ã§ã€å½“時ã®å¾³ä¸¸ã®è€ƒãˆã‚’示ã™ã‚‚ã®ã‚’ã€åŸºæœ¬çš„ã«å†…容を変更ã›ãšã«ãã®ã¾ã¾è»¢è¼‰ã™ã‚‹ã‚‚ã®ã§ã™ã€‚ 補足終ã‚ã‚Š 昨日ã®ã‚¨ãƒ³ãƒˆãƒª(徳丸浩ã®æ—¥è¨˜ - ãã‚ãã‚SQLエスケープã«é–¢ã—ã¦ä¸€è¨€ã„ã£ã¨ãã‹ - SQLã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—å†è€ƒ)ã¯æ€ã„ãŒã‘ãšå¤šãã®æ–¹ã«èªã‚“ã§ã„ãŸã ã„ãŸã€‚ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã™ã€‚ãã®ä¸ã§é«˜æœ¨æµ©å…‰æ°ã‹ã‚‰ãƒ–ã‚¯ãƒžã‚³ãƒ¡ãƒ³ãƒˆã‚’é ‚æˆ´ã—ãŸã€‚ \ãŒescape用文å—ã®DBã§\ã®escapeãŒå¿…é ˆã«ãªã‚‹ç†ç”±ãŒæ˜Žç¢ºã«æ›¸ã‹ã‚Œã¦ãªã„。\'ãŒä¸Žãˆã‚‰ã‚ŒãŸã¨ã'ã ã‘escapeã™ã‚‹ã¨â€¦ã€‚自作escapeã¯å±ã†ã„。「安全ãªâ€¦ä½œã‚Šæ–¹ã€3版ã§è¿½åŠ ã®ã€Œ3.失敗例ã€ã§ã¯DBã§ç”¨æ„ã•ã‚ŒãŸescape機能ã—ã‹æŽ¨å¥¨ã—ã¦ã„ãªã„ ã“ã®ã†ã¡ã€ã¾ãšã€Œ\ã€ã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ãŒå¿…
徳丸浩ã®æ—¥è¨˜ - ãã‚ãã‚SQLエスケープã«é–¢ã—ã¦ä¸€è¨€ã„ã£ã¨ãã‹ - SQLã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—å†è€ƒ
補足 ã“ã®è¨˜äº‹ã¯æ—§å¾³ä¸¸æµ©ã®æ—¥è¨˜ã‹ã‚‰ã®è»¢è¼‰ã§ã™ã€‚å…ƒURLã€ã‚¢ãƒ¼ã‚«ã‚¤ãƒ–ã€ã¯ã¦ãªãƒ–ックマーク1ã€ã¯ã¦ãªãƒ–ックマーク2。 備忘ã®ãŸã‚転載ã„ãŸã—ã¾ã™ãŒã€ã“ã®è¨˜äº‹ã¯2007å¹´11月26æ—¥ã«å…¬é–‹ã•ã‚ŒãŸã‚‚ã®ã§ã€å½“時ã®å¾³ä¸¸ã®è€ƒãˆã‚’示ã™ã‚‚ã®ã‚’ã€åŸºæœ¬çš„ã«å†…容を変更ã›ãšã«ãã®ã¾ã¾è»¢è¼‰ã™ã‚‹ã‚‚ã®ã§ã™ã€‚ 補足終ã‚ã‚Š 本稿ã§ã¯SQLインジェクション対ç–ã¨ã—ã¦ã€SQLã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—処ç†ã®æ–¹æ³•ã«ã¤ã„ã¦æ¤œè¨Žã™ã‚‹ã€‚ 最近SQLインジェクション攻撃ãŒçŒ›å¨ã‚’振るã£ã¦ã„ã‚‹ã“ã¨ã‚‚ã‚ã‚Šã€SQLインジェクションã«å¯¾ã™ã‚‹è§£èª¬è¨˜äº‹ãŒå¢—ãˆã¦ããŸã‚ˆã†ã ãŒã€å¯¾ç–方法ã«ã¤ã„ã¦ã¯å分ã«æ›¸ã‹ã‚Œã¦ã„ãªã„よã†ã«æ„Ÿã˜ã‚‹ã€‚éžå¸¸ã«ç¨€ãªã‚±ãƒ¼ã‚¹ã®å¯¾å¿œãŒä¸å分ã ã¨è¨€ã£ã¦ã„ã‚‹ã®ã§ã¯ãªã„。ã”ã基本的ãªã“ã¨ãŒå分書ã‹ã‚Œã¦ã„ãªã„ã¨æ€ã†ã®ã 。 SQLインジェクション対ç–ã«ã¯äºŒé€šã‚Šã‚る。ãƒã‚¤ãƒ³ãƒ‰æ©Ÿæ§‹ã‚’使ã†ã‚‚ã®ã¨ã€SQLã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã«ã‚ˆã‚‹ã‚‚ã®ã 。ã“ã®ã†ã¡ã€SQLã®ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã«ã¤ã„ã¦ã€å分
Text Escaping and Unescaping in JavaScript(Unicode ã®æ–‡å—列をエスケープã™ã‚‹ JavaScript)
Notes No data is sent to the server (i.e. everything is done in JavaScript). Conversion from Unicode to other encodings such as Shift_JIS can be slow first time as it needs to initialize internal conversion tables. Surrogate pairs in UTF-16 are supported. Try inserting \uD840\uDC0B in the second form. Three-byte characters in EUC-JP are not supported. Links JavaScript Unicode Charts Try GNU Libidn
#8371 (to_json cross site scripting security issue (XSS)) - Rails Trac - Trac
Description To json is almost only used for injecting object hashes into javascript. var client = <%= client.to_json %>; Because to_json does not escape its values, it's easy to construct a Cross Site Scripting exploit. If client has a name attribute, to_json will come up with something like: var client = {attributes: {name: "TEST"}}; If we change the name to say: TEST"}}; alert('XSS!!') ;a={{" we
JavaScriptエスケープã«ã¤ã„ã¦è«–考 - hoshikuzu | star_dust ã®æ›¸æ–Ž
http://d.hatena.ne.jp/hoshikuzu/20060130#P20060130BARSFAKE http://d.hatena.ne.jp/amachang/20071010/1192012056 (IT戦記 - 一行㧠IE ã® JavaScript を高速化ã™ã‚‹æ–¹æ³•) ã¯ã˜ã‚㫠次ã®ã‚ˆã†ãªé™å®šã•ã‚ŒãŸã‚±ãƒ¼ã‚¹ã«ãŠã„ã¦ãªã®ã§ã™ãŒã€‚説明上ã®éƒ½åˆã§ã“れを課題Aã¨å‘¼ã¶ã“ã¨ã¨ã—ã¾ã™ã€‚ <SCRIPT TYPE="text/javascript"> <!-- var strA = "$data"; // ・・・以下サイトé‹å–¶è€…ã«ã‚ˆã‚‹å‡¦ç†è¨˜è¿°ä¾‹ alert(0); //--> </SCRIPT>上記ã®ã‚ˆã†ãªã‚±ãƒ¼ã‚¹ã«é™å®šã—ã¦ã®ã‚ªãƒãƒŠã‚·ã§ã™ã‘ã‚Œã©ã€$dataをエスケープã™ã‚‹æ–¹å‘ã§ã®XSS対ç–ã¨ã—ã¦é‡‘床ã•ã‚“ãªã©ã«ã‚ˆã£ã¦ã‹ã¤ã¦è«–è°ã•ã‚Œã¦ã€ã“ã®ã¾ã¾ã§ã¯ä½¿ãˆãã†ã«ãªã„ã¨æ£„å´ã•ã‚ŒãŸJavaScr
1
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
Loading...
{{#tags}}- {{label}}
{{/tags}}