jQuery、javascript 数组/对象 SQL 注入问题

发布于 2024-10-09 14:32:10 字数 978 浏览 5 评论 0原文

我遇到了问题,但我不知道如何解决它。 我的网站上有一个模块显示一些数据,它使用 jquery dom 并从 javascript 数组创建一些元素,其中包含 javascript 对象。 该数组是用 php 生成的,它从 postgres 数据库获取数据。

因此,如果用户尝试注入数据库,数据库会将字符串存储为普通条目,我对此没有任何问题。 当我想列出内容时出现问题。但是,仅限于客户端。列表完成,我生成了字符串,我将其传递到客户端,创建了 dom 元素,但它们没有内容。我使用php函数addslashes()来逃避转义,但我只会遇到麻烦。

所以:这是数组

[
    {"id": "26", "text": "RSS Feed collection"},
    {"id": "50", "text": "\\ \' "}
]

正如您所看到的,最后一个包含测试注入

编辑
HTML 代码:

 <div class="item">
     <span>Text</span>
 </div>

这是使用 jQuery 生成的。

JS 部分:

var myArray = [the upper array];
var container = $("#container");

for( nI=0, nC = myArray.length; nI<nC; nI++) {
    var currentObj = myArray[nI];
    var newItem = $("<div />").appendTo(container);
    $("<span />").appendTo(item).html(currentObj.text);
}

结果是不可见的,数组看起来不错,但是通常文本应该在的每个地方都是空的。问题是为什么?

Ive got a problem and i don't have any idea how to fix it.
Ive a module on my site that shows some data, it uses jquery dom and it creates some elements from a javascript array, witch contains javascript objects.
This array is generated with php and it gets the data from a postgres database.

So if a user tries to inject the database the database stores the string as a normal entry, i have no problems with it.
The problem appears when I want to list the content. But, only on client side. The listing is done, ive generated the string, i pass it to client side, the dom elements are created, but they have no content. Im using the php function addslashes() to escape the escapes, but i only get in trouble.

So: here is the array

[
    {"id": "26", "text": "RSS Feed collection"},
    {"id": "50", "text": "\\ \' "}
]

As you can see the last one contains the test injection

edit
HTML code:

 <div class="item">
     <span>Text</span>
 </div>

This is generated using jQuery.

JS part:

var myArray = [the upper array];
var container = $("#container");

for( nI=0, nC = myArray.length; nI<nC; nI++) {
    var currentObj = myArray[nI];
    var newItem = $("<div />").appendTo(container);
    $("<span />").appendTo(item).html(currentObj.text);
}

And the result is nothing visible, the array looks fine, but every place where normally the text should be is empty. The question is why?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

沉默的熊 2024-10-16 14:32:10

嗯,听起来您正在将斜杠 (\) 发布到数据库中以转义单引号。

Mysql 和其他数据库使用重复引号来存储 varchar 值(见下文,即双单引号:' x 2)。

INSERT INTO jsonTable (`ID`, `Json`) 
VALUES (5, 
'{ "field": "value with escaped ''single'' quotation marks"}');

情况会变成这样:

ID    Json
-----------------------------------
5     { "field": "value with escaped 'single' quotation marks" }

您最好将 php/javascript 转义字符 (\) 放在一边,并通过以下任一方式限制自己转义引号:

a) 使用 参数化查询,这是最好的方法,因为你不必担心你所拥有的转义与否:

$preparedStatement = 
  $db->prepare('INSERT INTO jsonTable (`ID`, `Json`) VALUES (5, :json');

$preparedStatement->execute(array(':json' => $json));

$rows = $preparedStatement->fetchAll();

b) 通过加倍来替换单引号:

$sqlEscaped = str_replace("'", "''", $json);

至于双引号 " 标记:如果您在上面使用了参数化查询,那么您不必担心,但如果您打算替换SQL 字符串中的字符仅当您在 INSERT / UPDATE 脚本中使用双引号来分隔字符串时才变得相关,即:

INSERT INTO jsonTable (`ID`, `Json`) 
VALUES (5, 
/* Note how the string below begins and ends with (") */
"{ ""field"": ""value with escaped  \\""double\\"" quotation marks""}");

和:

ID    Json
-----------------------------------
5     { "field": "value with escaped \"double\" quotation marks" }

Hmm, sounds like you are posting the slash (\) into the database to escape single quotations.

Mysql and other databases use repeat quotation marks to store varchar values (see below, thats a double single quotation: ' x 2).

INSERT INTO jsonTable (`ID`, `Json`) 
VALUES (5, 
'{ "field": "value with escaped ''single'' quotation marks"}');

Which gets turned into this:

ID    Json
-----------------------------------
5     { "field": "value with escaped 'single' quotation marks" }

You'd be better off leaving the php/javascript escape character (\) aside, and limit yourself to escaping quotations by either:

a) Using a parameterized query, this is the best way since you wont have to worry about what you have escaped or not:

$preparedStatement = 
  $db->prepare('INSERT INTO jsonTable (`ID`, `Json`) VALUES (5, :json');

$preparedStatement->execute(array(':json' => $json));

$rows = $preparedStatement->fetchAll();

b) Replacing single quotations by doubling them up:

$sqlEscaped = str_replace("'", "''", $json);

As for double quotation " marks: again you wont have to worry if you've used a parameterized query above, but if you plan on replacing characters in the SQL string they only become relevant if you are using double quotation marks within your INSERT / UPDATE script to delimit a string. ie:

INSERT INTO jsonTable (`ID`, `Json`) 
VALUES (5, 
/* Note how the string below begins and ends with (") */
"{ ""field"": ""value with escaped  \\""double\\"" quotation marks""}");

And:

ID    Json
-----------------------------------
5     { "field": "value with escaped \"double\" quotation marks" }
夜空下最亮的亮点 2024-10-16 14:32:10

听起来您只是遇到了 JavaScript 问题。作为一个好的实践,您应该通过创建 HTML 项目数组来最小化 DOM 操作操作,以便通过单个 DOM 方法执行来附加它们。试试这个:

var myArray = [{"text": "First"}, {"text": "Second"}, {"text": "\\ \' "}],
 items   = [];

for(nI = 0, nC = myArray.length; nI < nC; nI++) {
    items.push('<div><span>' + myArray[nI].text + '</span></div>');
}

$('#container').append(items.join(""));

在这里测试

Sounds like you're just having a JavaScript issue. As a good practice, you should minimize the DOM manipulation actions by creating an array of the HTML items in order to append them with a single DOM method execution. Try this one:

var myArray = [{"text": "First"}, {"text": "Second"}, {"text": "\\ \' "}],
 items   = [];

for(nI = 0, nC = myArray.length; nI < nC; nI++) {
    items.push('<div><span>' + myArray[nI].text + '</span></div>');
}

$('#container').append(items.join(""));

Test it here

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文