WebSQL注入预防与Javascript [英] WebSQL injection prevention with Javascript
问题描述
在JavaScript中有一个类似于PHP的函数 mysql_real_escape_string
如果没有,是否有人知道自定义函数?
更新:
所以看起来没有原生函数,所以我写了:
function sql_real_escape_string(val){
var val = val.replace('','& quot;');
val = val.replace '\'','& rsquo;');
return val;
}
有没有其他字符,我应该替换为安全的一面?
Web SQL API支持以下操作:
var db = openDatabase(' mydb','1.0','my database',2 * 1024 * 1024);
db.transaction(function(tx){
tx.executeSql('INSERT INTO foo(id,text)VALUES(?,?)',[id,userValue]);
} );
而不是这样:
db.transaction(function(tx){
tx.executeSql('INSERT INTO foo(id,text)VALUES(1,user-entered value)');
});
I've search around but not found an answer to this one.
Is there a function in Javascript similar to PHP's mysql_real_escape_string
to make safe user inputs before writing them to a WebSQL database?
If not, does anyone know of a custom made function out there that I could use?
UPDATE: So it seems like there is no native function, so I have written:
function sql_real_escape_string(val){
var val = val.replace('"','"');
val = val.replace('\'','’');
return val;
}
Are there any other characters that I should be replacing to be on the safe side?
The best answer to handling user input when inserting into databases is to employ paramaterization. The Web SQL API supports this:
var db = openDatabase('mydb', '1.0', 'my database', 2 * 1024 * 1024);
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (?, ?)', [id, userValue]);
});
Instead of this:
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (1, "user-entered value")');
});
这篇关于WebSQL注入预防与Javascript的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!