如何在Javascript中为WebDB或Google Gears等客户端数据库转义数据?
[英]How do I escape data in Javascript for a client-side database like WebDB or Google Gears?
问题描述
If I'm using a client-side database like Google Gears or a WebDB implementation, what's the best way to escape the data to prevent SQL injection? 
如果我使用像Google Gears或WebDB实现这样的客户端数据库,那么逃避数据以防止SQL注入的最佳方法是什么? Wrap it in encodeURI()? 把它包装在encodeURI()中?
Furthermore, do I even need to worry about it? 此外,我甚至需要担心吗? There's a blurb here, http://code.google.com/apis/gears/api_database.html#Database-execute that makes me think it's handled for me, but I wasn't sure. 这里有一个模糊的地方, http : //code.google.com/apis/gears/api_database.html#Database-execute让我觉得它是为我处理的,但我不确定。
1 个解决方案
解决方案1
4 已采纳 2010-12-02 08:09:12
You don't have to worry about quoting/escaping if you're using placeholders. 如果您使用占位符,则不必担心引用/转义。 So this: 所以这:
resultSet = db.execute (
'INSERT INTO MYTABLE VALUES (?, ?, ?) WHERE id=?',
[some, variables, that_you_got_from, somewhere]
)
is fine as-is. 很好。 If you're trying to build SQL by pasting a bunch of strings together then you're going to have problems so don't do that. 如果你试图通过粘贴一堆字符串来构建SQL,那么你就会遇到问题,所以不要这样做。 However, there are cases where you'll need to paste strings together to get your SQL but there are safe ways around that; 但是,在某些情况下,您需要将字符串粘贴在一起才能获得SQL,但有一些安全的方法可以解决这个问题。 something like this tends to be a common case where you can use both placeholders and string concatenation: 像这样的东西往往是一个常见的情况,你可以使用占位符和字符串连接:
var list = some_array_of_unknown_size_and_origin;
var qs = [ ];
for(var i = 0; i < list.size; ++i)
qs.push('?');
var rs = db.execute(
'UPDATE some_table SET col = 'blahblah' WHERE id IN (' + qs.join(',') + ')',
list
);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.