防止在WebSQL数据库中进行SQL注入?(如何处理数据中的引号?) [英] Prevent SQL injection in WebSQL database? (How to handle quotes in data?)

问题描述

我目前正在将mysql数据库的xml导出导入到websql数据库中，以用于在线移动体验.

I'm currently importing an xml export of a mysql database into a websql database for use in an online mobile experience.

在插入的任何字符串中都使用双引号之前，一切工作正常且繁琐.通常，在PHP中，插入时我会使用类似mysql_real_escape_string的内容.

Everything works fine and dandy until there are double quotes in whatever string I am inserting. Normally, in PHP I would be using something like: mysql_real_escape_string while inserting.

我知道我可以尝试的选项是编写正则表达式并创建用于添加/删除斜杠的功能.谷歌上有很多关于此的示例-但我希望看到的是其他人是否遇到过这种情况，并且可能有更好的解决方案.

Options I know I can try is to write regex and make functions for adding/removing slashes. There are lots of examples on google for this - but what i'm looking to see is if anyone else has encountered this, and possibly has a better solution.

感谢您的帮助！

推荐答案

忘记转义.做正确的事:使用占位符.在这种情况下，除原始数据字符串外，数据永远不会被视为任何东西.在Web SQL中，可以使用 executeSql .有关其工作原理的说明，请参见预处理部分.

Forget about escaping. Do the right thing: use placeholders. In this case data will never ever be treated as anything but raw data string. In Web SQL this can be done with executeSql. See pre-processing section on explanation on how this works.

直接来自文档简介的示例:

Example straight from intro of document:

db.readTransaction(function (t) {
  t.executeSql('SELECT title, author FROM docs WHERE id=?', [id], function (t, data) {
    report(data.rows[0].title, data.rows[0].author);
  });
});

无论 id 变量中有什么内容，此请求都将查找逐字记录值，而不会被解释为命令的一部分.

No matter what is in id variable, this request will look for verbatim value, never being interpreted as part of command.

这篇关于防止在WebSQL数据库中进行SQL注入?(如何处理数据中的引号?)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！