如何在cartodb数据库中的javascript / jquery中生成的查询中转义SQL查询的单引号?
[英]How do I escape SQL query's single quotes for query generated in javascript/jquery in cartodb database?
问题描述
I am using javascript/jquery to generate a sql query. 
我使用javascript / jquery生成一个SQL查询。 I have a sql query I'm generating and using inside a javascript/jquery script. 我有一个sql查询我正在javascript / jquery脚本中生成和使用。
Something like this: 像这样的东西:
var storeName;
var query = "SELECT * FROM stores where storeName = '" + storeName + "';";
( storeName is generated through jquery when a user selects from html) (当用户从html中选择时, storeName是通过jquery生成的)
So when storeName is something like "Jackson Deli" the query runs just fine. 因此当storeName类似于“Jackson Deli”时 ,查询运行得很好。
But then when storeName is "Jackson's Deli" it does not work and it seems to be because the apostrophe in Jackson's is treated like a closing quote. 但是,当storeName是“杰克逊的熟食店”时,它不起作用,似乎是因为杰克逊的撇号被视为结束语。 I know I can escape a quote by doubling it if I was hard-coding the query... so 我知道如果我对查询进行硬编码,我可以通过加倍来引用它...所以
SELECT * FROM stores where storeName = 'Jackson''s Deli';
should work. 应该管用。 But I'm not hard-coding the query. 但我不是硬编码查询。 Instead it's being generated by user input and may or may not have an apostrophe in the name. 相反,它是由用户输入生成的,名称中可能有也可能没有撇号。 How would I go about escaping ' this character in this case? 在这种情况下,我该如何逃避'这个角色? I would need it to work inside Javascript/jquery. 我需要它在Javascript / jquery中工作。
Would I need to write an if statement that looks for ' in storeName and replaces it with '' ?? 我是否需要编写一个if语句来查找'在storeName并用''替换它'' ? Or is there another way to go about this? 或者还有另一种方法可以解决这个问题吗?
EDIT: Ouch! 编辑:哎哟! Normally, yes, I realize the perils of generating a query on the client side. 通常,是的,我意识到在客户端生成查询的危险。
So here's some more context. 所以这里有更多的背景。 I'm working with cartodb and following their documentation. 我正在使用cartodb并关注他们的文档。 Here's an example from their repo doing something similar to what I'm talking about (they have other examples too): 这里有一个例子来自他们的回购做类似我正在谈论的事情(他们也有其他例子):
https://github.com/CartoDB/cartodb.js/blob/develop/examples/layer_selector.html https://github.com/CartoDB/cartodb.js/blob/develop/examples/layer_selector.html
You can't run a query in cartodb that lets you modify data in any way -- you can only run queries that let you retrieve data. 您无法在cartodb中运行允许您以任何方式修改数据的查询 - 您只能运行允许您检索数据的查询。 So I'm still thinking about what the best way to escape this quote character would be. 所以我还在考虑逃避这个引用角色的最佳方法是什么。
5 个解决方案
解决方案1
5 2013-09-06 14:39:37
DO NOT GENERATE SQL ON THE CLIENT SIDE... EVER 不要在客户端生成SQL ...永远
That being said, if you are going to use a dynamic query, you are best off escaping the user input and binding it to a prepared statement on the server side. 话虽这么说,如果您打算使用动态查询,最好转义用户输入并将其绑定到服务器端的预准备语句。
If you post more details about which database (MySQL, Postgres, etc.) and what language you are using for server processing- you will get better answers. 如果您发布有关哪个数据库(MySQL,Postgres等)以及您用于服务器处理的语言的更多详细信息,您将获得更好的答案。
Yes... I am fully aware this doesn't answer the question. 是的......我完全清楚这不回答这个问题。 Nobody should be creating code this way though. 但是,没有人应该以这种方式创建代码。
Edit: Made the warning bigger for emphasis. 编辑:强调警告更大。
解决方案2
2 2013-09-06 15:06:37
I see others have answered but I wanted to approach this question from a few angles. 我看到其他人已经回答,但我想从几个角度来处理这个问题。
The question you're asking is a good one. 你问的问题很好。 You recognize that the SQL doesn't work with single quotes. 您认识到SQL不适用于单引号。 You realize that something needs to be escaped. 你意识到需要逃避某些事情。 These are a good starting point for a few considerations that will hopefully help you to architect software in a secure and maintainable way. 这些是一些很好的起点,可以帮助您以安全和可维护的方式构建软件。
Never directly execute client code/content - Generating SQL or any kind of code/instructions (javascript, bytecode, compiled code) from a client is always a poor idea because it breaks a few critical concepts.
永远不要直接执行客户端代码/内容 - 从客户端生成SQL或任何类型的代码/指令(javascript,字节码,编译代码)总是一个糟糕的主意,因为它打破了一些关键概念。 - It's hard to maintain because you cannot control the input fully. 它很难维护,因为你无法完全控制输入。 Sure you could escape the SQL but that doesn't fix both strange case scenarios where you have other characters you didn't account for. 当然你可以逃避SQL,但这并不能解决你没有考虑其他角色的奇怪案例。
- It isn't secure - Your relationship to variables, inputs, CGI params, file contents, database fields whose values came from the aforementioned list, or just about anything that came from a remote system, remote user cannot ever be trusted. 这是不安全的 -你的变量,输入,CGI参数,可以文件内容,数据库字段,其值来自上述名单,或者只是从一个远程系统附带任何东西,远程用户永远不能被信任的关系。 Always check, sanitize and validate inputs. 始终检查,清理和验证输入。 I can open the source to your page, see where you add a check for single quotes and change that and then execute the code to delete your records, have it email if certain stored procedures are available, run code on the SQL backend, drop databases (assuming the query runs under appropriate privileges.) 我可以打开您的页面的源代码,查看您添加单引号检查的位置并更改它,然后执行代码以删除您的记录,如果某些存储过程可用则通过电子邮件发送,在SQL后端运行代码,删除数据库(假设查询在适当的权限下运行。)
- It blends/blurs the lines between client input/display and business logic. 它混合/模糊了客户端输入/显示和业务逻辑之间的界限。 Research MVC, n-Tier development and other concepts for an introduction to the concepts of separating your business logic from display/inputs. 研究MVC,n层开发和其他概念,介绍将业务逻辑与显示/输入分离的概念。 This is critical not only for scalability and performance but also to reduce the change of issues such as this from causing critical security flaws. 这不仅对于可伸缩性和性能至关重要,而且还可以减少此类问题的变化,从而导致严重的安全漏洞。
- It's hard to maintain because you cannot control the input fully.
Approach your software development from the bad-guys perspective - Instead of "How can I escape this string to make it work."
从坏人的角度来看待你的软件开发 - 而不是“如何逃避这个字符串以使其发挥作用”。 try "How can I bypass the escape on this page to allow me to delete records, view things I should, etc. 尝试“如何绕过此页面上的转义,以允许我删除记录,查看我应该做的事情等。 Don't feel bad because the approach is wrong ,learn from it.
不要因为方法错误而感到难过 ,要从中吸取教训。 I see alot of comments about how you should never ever do this (and they're right) but many of us learned this lesson the hard way. 我看到很多关于你永远不应该这样做的评论(而且他们是对的)但是我们很多人都很难学到这一课。 We laugh at Little Bobby Tables because we've all written or had to support code that did this. 我们嘲笑Little Bobby Tables,因为我们都写过或者不得不支持执行此操作的代码。 The key is to understand the underpinning of why it's a bad idea and then use that in designing software. 关键是要理解为什么这是一个坏主意的基础,然后在设计软件时使用它。 Welcome to the school of hard knocks. 欢迎来到学校的艰难时刻。 We're all graduates and thankfully you could learn from our comments rather than when somebody tinkers and corrupts, deletes or infiltrates your database and application. 我们都是毕业生,谢天谢地,你可以从我们的评论中学习,而不是当有人修饰,腐蚀,删除或渗透你的数据库和应用程序时。
To get you started on this journey may I suggest reading the following: SQL Injections Explained 为了让您开始这个旅程,我建议您阅读以下内容: SQL注入说明
And as an added bonus XSS Eg escaping OUTPUT that originated from an external system or person. 并作为额外的奖励XSS例如逃避源自外部系统或人的OUTPUT。 for example a comment entry that contains Hi!!! <script>alert('Thanks to this site not escaping this output I get to run this code under your login. Thanks for the 4000 crates of free tshirts you just ordered for me');</script> how are you??? 例如,包含Hi!!! <script>alert('Thanks to this site not escaping this output I get to run this code under your login. Thanks for the 4000 crates of free tshirts you just ordered for me');</script> how are you???的评论条目Hi!!! <script>alert('Thanks to this site not escaping this output I get to run this code under your login. Thanks for the 4000 crates of free tshirts you just ordered for me');</script> how are you??? Hi!!! <script>alert('Thanks to this site not escaping this output I get to run this code under your login. Thanks for the 4000 crates of free tshirts you just ordered for me');</script> how are you??? so that when you output it you get 所以当你输出它时你会得到
Comments:Hi!!! <script>alert('Thanks to this site not escaping this output I get to run this code under your login. Thanks for the 4000 crates of free tshirts you just ordered for me');</script> how are you???
Which is "valid" HTML and the browser will execute it. 哪个是“有效”HTML,浏览器会执行它。
Final thoughts - Adopt the motto Trust but Verify and you'll be OK 最后的想法 - 采用座右铭信任但验证 ,你会没事的
解决方案3
2 2013-09-06 15:39:05
仅供参考,CartoDB不允许您执行更改表中某些内容的查询,它是只读的。
解决方案4
0 2013-10-20 13:20:06
Send data to your server first, then escape all chars that need to be escaped with addslashes() command (provided that you are using PHP). 首先将数据发送到服务器,然后使用addslashes()命令转义需要转义的所有字符(假设您使用的是PHP)。
addslashes() command on PHP 在PHP上的addslashes()命令
After you are done with eascaping characters, you can send your data to cartoDB using their API and your API key. 完成简化字符后,您可以使用API和API密钥将数据发送到cartoDB。
解决方案5
-1 2013-12-18 13:37:55
cartoDB does provide insert/update/delete tasks through its SQL API. cartoDB确实通过其SQL API提供插入/更新/删除任务。 See this link: 看到这个链接:
http://developers.cartodb.com/documentation/sql-api.html http://developers.cartodb.com/documentation/sql-api.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.