如何确保 Webkit Javascript 数据库的字符串安全
我正在编写一个 Webkit 应用程序,它从 RSS 提要导入数据并将其存储在 Javascript 数据库中。由于数据来自外部源,我想确保字符串在插入数据库之前是安全的。例如,在 PHP 中,我将使用“mysql_real_escape_string”函数来转义引号和其他字符。
理想情况下,我希望远离本机功能,以便可以使用 WebKit 在多个手机平台(iPhone、黑莓、Android)上部署该应用程序。
链接到等效的 PHP 函数: http://php.net/manual/en/function。 mysql-real-escape-string.php
JavaScript 数据库文档链接: https://developer.apple.com/ Library/archive/documentation/iPhone/Conceptual/SafariJSDatabaseGuide/UsingtheJavascriptDatabase/UsingtheJavascriptDatabase.html
示例代码:
目前是:
mydb.transaction(
function(transaction) {
transaction.executeSql("INSERT INTO rss (url,title) VALUES (?,?);",["www.some-rss-feed.com","a title containing a' quote"], successFunction, errorFunction);
}
);
理想情况下应该类似于以下内容,其中“a_safe_function”是名称使字符串对数据库安全的函数。
mydb.transaction(
function(transaction) {
transaction.executeSql("INSERT INTO rss (url,title) VALUES (?,?);",[a_safe_function("www.some-rss-feed.com"),a_safe_function("a title containing a' quote")], successFunction, errorFunction);
}
);
我正在使用的库:
- iPhoneGap
- JQueryMobile
- JQuery
I am writing a Webkit app that imports data from an RSS feed and stores it in a Javascript Database. Since the data is coming from an external source I want to make sure the strings have been made safe before inserting it into the database. For example in PHP I would use "mysql_real_escape_string" function which escapes quotes and other characters.
Ideally I want to keep away from native functions so that this app can be deployed across multiple phone platforms (iPhone,Blackberry,Android) using WebKit.
Link to equivalent PHP function:
http://php.net/manual/en/function.mysql-real-escape-string.php
Link to javascript database documentation:
https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/SafariJSDatabaseGuide/UsingtheJavascriptDatabase/UsingtheJavascriptDatabase.html
Example code:
Currently it is:
mydb.transaction(
function(transaction) {
transaction.executeSql("INSERT INTO rss (url,title) VALUES (?,?);",["www.some-rss-feed.com","a title containing a' quote"], successFunction, errorFunction);
}
);
Ideally it should be something like the following where "a_safe_function" is the name of the function that makes the string safe for the database.
mydb.transaction(
function(transaction) {
transaction.executeSql("INSERT INTO rss (url,title) VALUES (?,?);",[a_safe_function("www.some-rss-feed.com"),a_safe_function("a title containing a' quote")], successFunction, errorFunction);
}
);
Libraries I'm using:
- iPhoneGap
- JQueryMobile
- JQuery
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
单独传递查询和参数时不必进行任何转义。
合并查询和参数是一件丑陋的事情,主要是针对 PHP+MySQL 完成的,因为 PHP 在 PDO 之前没有正确的方法来分别传递查询和参数 - 即使现在很多人也不使用 PDO,而是转义它们的值(或者忘记它; x) 并同义地构建 SQL 字符串:/
You don't have to do any escaping when passing query and arguments separately.
Merging query and parameters is an ugly thing which is done mainly for PHP+MySQL as PHP had no proper way to pass query and parameters separately before PDO - and even nowadays many people are not using PDO but rather escaping their values (or forgetting it ;x) and building SQL strings synamically :/