Skip to content Skip to sidebar Skip to footer
Home / Javascript / Sql Injection / Web Sql / Webkit

Prevent Sql Injection In Websql Database? (how To Handle Quotes In Data?)

Post a Comment
I'm currently importing an xml export of a mysql database into a websql database for use in an online mobile experience. Everything works fine and dandy until there are double quot

Solution 1:

Forget about escaping. Do the right thing: use placeholders. In this case data will never ever be treated as anything but raw data string. In Web SQL this can be done with executeSql. See pre-processing section on explanation on how this works.

Example straight from intro of document:

db.readTransaction(function (t) {
  t.executeSql('SELECT title, author FROM docs WHERE id=?', [id], function (t, data) {
    report(data.rows[0].title, data.rows[0].author);
  });
});

No matter what is in id variable, this request will look for verbatim value, never being interpreted as part of command.

Solution 2:

A simple workaround would be to use an AJAX request to send the XML string to PHP, which would return the string with quotes escaped.

You may like these posts

Post a Comment for "Prevent Sql Injection In Websql Database? (how To Handle Quotes In Data?)"