stackoom
  简体   繁体   中英

WebSQL injection prevention with Javascript

 原文  2012-07-22 02:01:53       javascript/ sql/ cordova

Question

I've search around but not found an answer to this one.

Is there a function in Javascript similar to PHP's mysql_real_escape_string to make safe user inputs before writing them to a WebSQL database?

If not, does anyone know of a custom made function out there that I could use?

UPDATE: So it seems like there is no native function, so I have written: 

function sql_real_escape_string(val){
    var val = val.replace('"','"');
    val = val.replace('\'','’');
    return val;
}

Are there any other characters that I should be replacing to be on the safe side?

1 answers

solution1
 5  2012-07-22 02:12:08

The best answer to handling user input when inserting into databases is to employ paramaterization. The Web SQL API supports this: 

var db = openDatabase('mydb', '1.0', 'my database', 2 * 1024 * 1024);
db.transaction(function (tx) {
  tx.executeSql('INSERT INTO foo (id, text) VALUES (?, ?)', [id, userValue]);
});

Instead of this: 

db.transaction(function (tx) {
  tx.executeSql('INSERT INTO foo (id, text) VALUES (1, "user-entered value")');
});

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Javascript Injection prevention on Wordpress Javascript injection attack prevention for textboxes JavaScript NoSQL Injection prevention in MongoDB Is this a good way for SQL injection prevention websql drop column with javascript WebSQL and Javascript Order of Operation Converting JavaScript websql to Clojurescript JavaScript WebSQL databases Javascript XSS Prevention WebSQL - Check database for records (javascript)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM