使用postgresql的sql,来自其他文档,众所周知,应该过滤几个特殊关键字以防止sql注入攻击,例如',;,&,<,>。
quote(Value) when is_integer(Value)->
Value;
quote(Value) ->
%% seperate_by(["'",Value,"'"],"").
Value_a = lists:dropwhile(fun($')->true;
($;)->true;
($<)->true;
($>)->true;
($&)->true;
(_)->false
end,Value),
seperate_by(["'",Value_a,"'"],"").
(emacs@yus-iMac.local)62> john_worker:quote("<>&asdf'").
"'asdf''"
(emacs@yus-iMac.local)63> john_worker:quote("'asdf").
"'asdf''"
(emacs@yus-iMac.local)64> john_worker:quote("'asdf").
"'asdf'"
(emacs@yus-iMac.local)65> john_worker:quote("'asdf").
"'asdf'"
(emacs@yus-iMac.local)66> john_worker:quote("a'sdf").
"'a'sdf'"
(emacs@yus-iMac.local)67> john_worker:quote("a>sdf").
"'a>sdf'"
列表:过滤器适用于这些特殊字符前缀的单词,但不适用于其他条件。为什么呢?
答案 0 :(得分:2)
我不确定你期望的结果,如果你只是想跳过这些特殊字符,你可以使用列表理解:
quote(Value) ->
"'" ++ [X || X <- Value , X =/= $', X =/= $;, X =/= $<, X =/= $>, X =/= $&] ++ "'".