#!/usr/bin/env python

"""
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')

    Requirement:
        * MSSQL
        * MySQL

    Notes:
        * Useful to bypass several web application firewalls

    >>> tamper('1 AND 9227=9227')
    '1%23%0AAND%23%0A9227=9227'
    """

    retVal = ""

    # 如果payload不为空
    if payload:
        # 遍历payload的每个字符
        for i in xrange(len(payload)):
            # 如果字符是空格
            if payload[i].isspace():
                # 将%23%0A添加到retVal中
                retVal += "%23%0A"
            # 如果字符是#或者字符是--
            elif payload[i] == '#' or payload[i:i + 3] == '-- ':
                # 将payload的剩余部分添加到retVal中
                retVal += payload[i:]
                # 跳出循环
                break
            # 否则
            else:
                # 将字符添加到retVal中
                retVal += payload[i]

    # 返回retVal
    return retVal