javascript单引号问题
[英]javascript single double quote problem
问题描述
I have this rather classic problem when interacting with databases of handling single quotes and special characters. 
与处理单引号和特殊字符的数据库进行交互时,我遇到了一个相当经典的问题。 In PHP I am escaping the single quote with another single quote and regex syntax characters with preg_quote and they are working as a pro. 在PHP中,我用preg_quote转义了另一个引号和regex语法字符,并且它们作为专家工作。 The problem is with javascript, there are some points in my scripts where I am directly passing the database variables at the runtime into the javascript to build it up and that's where it is breaking up. 问题出在javascript上,我的脚本中有些地方要在运行时直接将数据库变量传递到javascript中以进行构建,而这正是分解的原因。
Following is an example: 以下是一个示例:
var href = "region_view.php?min_row=1&max_row=25®_name=^*&new''region' blah£"&order_by=reg_name asc";
Note the reg_name variable, which is giving me an error in firebug console that invalid assignment left-hand side. 注意reg_name变量,这在firebug控制台中给我一个错误,该错误是左侧的无效分配。 First question is, is there any function like eval or something which can take care of these single double quotes by default? 第一个问题是,是否存在诸如eval之类的功能或默认情况下可以处理这些单双引号的功能? Second question is, these type of things are done all along the application. 第二个问题是,这些事情都是在应用程序中完成的。 Going back through each javascript line and taking care of single and double quotes will be a hard task to do. 遍历每条javascript行并注意单引号和双引号将是一项艰巨的任务。 Is there something like global which can sort this problem. 是否有类似全局的东西可以解决这个问题。
My questions may sound stupid but I googled, couldn't find anything, came here in hope if someone can purpose a solution for it. 我的问题听起来很愚蠢,但我搜寻了一下,找不到任何东西,来到这里是希望有人可以为此找到解决方案。
Thanks, 谢谢,
3 个解决方案
解决方案1
3 2010-01-11 10:59:28
Never build SQL in JavaScript. 切勿在JavaScript中构建SQL。 Always send the pure values to the server and let it escape them properly and then build the SQL. 始终将纯值发送到服务器,并让它正确地转义它们,然后构建SQL。 Otherwise, a hacker or script kiddie will break your site. 否则,黑客或脚本小子将破坏您的网站。 Note that there are automated scripts floating around the net which search for such vulnerabilities and hack your site with a single mouse click. 请注意,网上有自动脚本浮动,这些脚本搜索此类漏洞并单击鼠标即可入侵您的网站。
解决方案2
1 2010-01-11 10:52:15
You should be able to simply escape the quotes: 您应该能够简单地转义引号:
var quotes = "\"Quoted String\""
Another thing: If I see correctly, you are passing a regular expression through the parameter string. 另一件事:如果我没看错,您正在通过参数字符串传递正则表达式。 I don't know of any specific exploits, but my gut tells me this is a potential security hole and should be avoided. 我不知道有任何具体的漏洞利用方法,但是我的直觉告诉我,这是一个潜在的安全漏洞,应避免使用。
解决方案3
0 2010-01-11 10:54:10
在您的字符串上调用php函数addlashes()。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.