Is there mySQL equivalent for Postgresql "Adjustment of lines in dollars"?

Question

In postgresql, you can use "String Constants with the Dollar" to avoid escaping single quotes in constant lines:

Without constants with constants in dollars:

'Jeff' table'

With constants encoded in dollars:

$$Jeff table$$

Is there a MySQL equivalent?

In the editor: I'm not looking for a way to sanitize the input, I'm looking for a way to make queries that generate sql easier to read.

+3

tpdi Apr 25 '09 at 1:20

2 answers

Joel Coehoorn · Answer 1 · 2009-04-25T01:26:33+0000

No, because it really doesn't work. The attacker simply adds a couple of dollar icons to their injection attempt.

- , , . , , , db , , , .

. :

sql = "SELECT * FROM MyTable WHERE Column1=$$" + somevarialbe + "$$ AND Column2=$$" + OtherVariable";

:

sql = "SELECT * FROM MyTable wHERE Column1=@Value1 AND Column2=@Value2";

... , .

, . "" where . , ; , , . - .

Tim Bellis · Answer 2 · 2012-05-14T16:56:33+0000

,

"Jeff table"

. , , ANSI_QUOTES SQL. MySQL :

ANSI_QUOTES SQL, , , , .