防止在WebSQL数据库中进行SQL注入?(如何处理数据中的引号?) [英] Prevent SQL injection in WebSQL database? (How to handle quotes in data?)
问题描述
我目前正在将mysql数据库的xml导出导入到websql数据库中,以用于在线移动体验.
I'm currently importing an xml export of a mysql database into a websql database for use in an online mobile experience.
在插入的任何字符串中都使用双引号之前,一切工作正常且繁琐.通常,在PHP中,插入时我会使用类似mysql_real_escape_string的内容.
Everything works fine and dandy until there are double quotes in whatever string I am inserting. Normally, in PHP I would be using something like: mysql_real_escape_string while inserting.
我知道我可以尝试的选项是编写正则表达式并创建用于添加/删除斜杠的功能.谷歌上有很多关于此的示例-但我希望看到的是其他人是否遇到过这种情况,并且可能有更好的解决方案.
Options I know I can try is to write regex and make functions for adding/removing slashes. There are lots of examples on google for this - but what i'm looking to see is if anyone else has encountered this, and possibly has a better solution.
感谢您的帮助!
推荐答案
忘记转义.做正确的事:使用占位符.在这种情况下,除原始数据字符串外,数据永远不会被视为任何东西.在Web SQL中,可以使用 executeSql
一个>.有关其工作原理的说明,请参见预处理部分.
Forget about escaping. Do the right thing: use placeholders. In this case data will never ever be treated as anything but raw data string. In Web SQL this can be done with executeSql
. See pre-processing section on explanation on how this works.
直接来自文档简介的示例:
Example straight from intro of document:
db.readTransaction(function (t) {
t.executeSql('SELECT title, author FROM docs WHERE id=?', [id], function (t, data) {
report(data.rows[0].title, data.rows[0].author);
});
});
无论 id
变量中有什么内容,此请求都将查找逐字记录值,而不会被解释为命令的一部分.
No matter what is in id
variable, this request will look for verbatim value, never being interpreted as part of command.
这篇关于防止在WebSQL数据库中进行SQL注入?(如何处理数据中的引号?)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!