[英]WebSQL injection prevention with Javascript
I've search around but not found an answer to this one. 我到处搜寻,但没有找到答案。
Is there a function in Javascript similar to PHP's mysql_real_escape_string
to make safe user inputs before writing them to a WebSQL database? Javascript中是否有类似于PHP的
mysql_real_escape_string
的函数,可以在将用户输入写入WebSQL数据库之前对其进行安全输入?
If not, does anyone know of a custom made function out there that I could use? 如果不是,是否有人知道我可以使用的自定义函数?
UPDATE: So it seems like there is no native function, so I have written: 更新:所以似乎没有本机函数,所以我写了:
function sql_real_escape_string(val){
var val = val.replace('"','"');
val = val.replace('\'','’');
return val;
}
Are there any other characters that I should be replacing to be on the safe side? 为了安全起见,我还应该替换其他字符吗?
The best answer to handling user input when inserting into databases is to employ paramaterization. 插入数据库时处理用户输入的最佳答案是采用参数化。 The Web SQL API supports this:
Web SQL API支持以下功能:
var db = openDatabase('mydb', '1.0', 'my database', 2 * 1024 * 1024);
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (?, ?)', [id, userValue]);
});
Instead of this: 代替这个:
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (1, "user-entered value")');
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.