使用Javascript防止WebSQL注入
[英]WebSQL injection prevention with Javascript
问题描述
I've search around but not found an answer to this one. 
我到处搜寻,但没有找到答案。
Is there a function in Javascript similar to PHP's mysql_real_escape_string to make safe user inputs before writing them to a WebSQL database? Javascript中是否有类似于PHP的mysql_real_escape_string的函数,可以在将用户输入写入WebSQL数据库之前对其进行安全输入?
If not, does anyone know of a custom made function out there that I could use? 如果不是,是否有人知道我可以使用的自定义函数?
UPDATE: So it seems like there is no native function, so I have written: 更新:所以似乎没有本机函数,所以我写了:
function sql_real_escape_string(val){
var val = val.replace('"','"');
val = val.replace('\'','’');
return val;
}
Are there any other characters that I should be replacing to be on the safe side? 为了安全起见,我还应该替换其他字符吗?
1 个解决方案
解决方案1
5 2012-07-22 02:12:08
The best answer to handling user input when inserting into databases is to employ paramaterization. 插入数据库时处理用户输入的最佳答案是采用参数化。 The Web SQL API supports this: Web SQL API支持以下功能:
var db = openDatabase('mydb', '1.0', 'my database', 2 * 1024 * 1024);
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (?, ?)', [id, userValue]);
});
Instead of this: 代替这个:
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (1, "user-entered value")');
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.