问题
I'm currently importing an xml export of a mysql database into a websql database for use in an online mobile experience.
Everything works fine and dandy until there are double quotes in whatever string I am inserting. Normally, in PHP I would be using something like: mysql_real_escape_string while inserting.
Options I know I can try is to write regex and make functions for adding/removing slashes. There are lots of examples on google for this - but what i'm looking to see is if anyone else has encountered this, and possibly has a better solution.
Thanks for any help!
回答1:
Forget about escaping. Do the right thing: use placeholders. In this case data will never ever be treated as anything but raw data string. In Web SQL this can be done with executeSql. See pre-processing section on explanation on how this works.
Example straight from intro of document:
db.readTransaction(function (t) {
t.executeSql('SELECT title, author FROM docs WHERE id=?', [id], function (t, data) {
report(data.rows[0].title, data.rows[0].author);
});
});
No matter what is in id variable, this request will look for verbatim value, never being interpreted as part of command.
回答2:
A simple workaround would be to use an AJAX request to send the XML string to PHP, which would return the string with quotes escaped.
来源:https://stackoverflow.com/questions/10148599/prevent-sql-injection-in-websql-database-how-to-handle-quotes-in-data