javascript单双引号问题
在与处理单引号和特殊字符的数据库交互时,我遇到了这个相当经典的问题。在 PHP 中,我用另一个单引号转义单引号,并用 preg_quote 转义正则表达式语法字符,它们正在作为专业人士工作。问题出在 javascript 上,我的脚本中有些地方我在运行时直接将数据库变量传递到 javascript 中以构建它,这就是它崩溃的地方。
以下是一个示例:
var href = "region_view.php?min_row=1&max_row=25®_name=^*&new''region' blah£"&order_by=reg_name asc";
请注意 reg_name 变量,它在 Firebug 控制台中给我一个错误,即左侧赋值无效。第一个问题是,是否有像 eval 这样的函数或者可以默认处理这些单双引号的函数? 第二个问题是,这些类型的事情是在整个应用程序中完成的。回顾每一行 JavaScript 代码并处理单引号和双引号将是一项艰巨的任务。有没有类似全局的东西可以解决这个问题。
我的问题可能听起来很愚蠢,但我用谷歌搜索,找不到任何东西,来到这里希望有人能找到解决方案。
谢谢,
I have this rather classic problem when interacting with databases of handling single quotes and special characters. In PHP I am escaping the single quote with another single quote and regex syntax characters with preg_quote and they are working as a pro. The problem is with javascript, there are some points in my scripts where I am directly passing the database variables at the runtime into the javascript to build it up and that's where it is breaking up.
Following is an example:
var href = "region_view.php?min_row=1&max_row=25®_name=^*&new''region' blah£"&order_by=reg_name asc";
Note the reg_name variable, which is giving me an error in firebug console that invalid assignment left-hand side. First question is, is there any function like eval or something which can take care of these single double quotes by default?
Second question is, these type of things are done all along the application. Going back through each javascript line and taking care of single and double quotes will be a hard task to do. Is there something like global which can sort this problem.
My questions may sound stupid but I googled, couldn't find anything, came here in hope if someone can purpose a solution for it.
Thanks,
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
永远不要在 JavaScript 中构建 SQL。始终将纯值发送到服务器并让它正确转义它们,然后构建 SQL。否则,黑客或脚本小子将破坏您的网站。请注意,网络上有一些自动脚本,它们可以搜索此类漏洞并通过单击鼠标来破解您的网站。
Never build SQL in JavaScript. Always send the pure values to the server and let it escape them properly and then build the SQL. Otherwise, a hacker or script kiddie will break your site. Note that there are automated scripts floating around the net which search for such vulnerabilities and hack your site with a single mouse click.
您应该能够简单地转义引号:
另一件事:如果我没看错的话,您正在通过参数字符串传递正则表达式。我不知道有任何具体的漏洞,但我的直觉告诉我这是一个潜在的安全漏洞,应该避免。
You should be able to simply escape the quotes:
Another thing: If I see correctly, you are passing a regular expression through the parameter string. I don't know of any specific exploits, but my gut tells me this is a potential security hole and should be avoided.
在字符串上调用 php 函数addslashes()。
Call php function addslashes() on your string.