开发者

jQuery, javascript array/object SQL injection issue

问答 作者:

Ive got a problem and i don't have any idea how to fix it. Ive a module on my site that shows some data, it uses jquery dom and it creates some elements from a javascript array, witch contains javascript objects. This array is generated with php and it gets the data from a postgres database.

So if a user tries to inject the database the database stores the string as a normal entry, i have no problems with it. The problem appears when I want to list the content. But, only on client side. The listing is done, ive generated the string, i pass it to client side, the dom elements are created, but they have no content. Im using the php function addslashes() to escap开发者_StackOverflow中文版e the escapes, but i only get in trouble.

So: here is the array 

[
    {"id": "26", "text": "RSS Feed collection"},
    {"id": "50", "text": "\\ \' "}
]

As you can see the last one contains the test injection

edit

HTML code: 

 <div class="item">
     <span>Text</span>
 </div>

This is generated using jQuery.

JS part:

var myArray = [the upper array];
var container = $("#container");

for( nI=0, nC = myArray.length; nI<nC; nI++) {
    var currentObj = myArray[nI];
    var newItem = $("<div />").appendTo(container);
    $("<span />").appendTo(item).html(currentObj.text);
}

And the result is nothing visible, the array looks fine, but every place where normally the text should be is empty. The question is why?

Hmm, sounds like you are posting the slash (\) into the database to escape single quotations.

Mysql and other databases use repeat quotation marks to store varchar values (see below, thats a double single quotation: ' x 2).

INSERT INTO jsonTable (`ID`, `Json`) 
VALUES (5, 
'{ "field": "value with escaped ''single'' quotation marks"}');

Which gets turned into this:

ID    Json
-----------------------------------
5     { "field": "value with escaped 'single' quotation marks" }

You'd be better off leaving the php/javascript escape character (\) aside, and limit yourself to escaping quotations by either:

a) Using a parameterized query, this is the best way since you wont have to worry about what you have escaped or not:

$preparedStatement = 
  $db->prepare('INSERT INTO jsonTable (`ID`, `Json`) VALUES (5, :json');

$preparedStatement->execute(array(':json' => $json));

$rows = $preparedStatement->fetchAll();

b) Replacing single quotations by doubling them up: 

$sqlEscaped = str_replace("'", "''", $json);

As for double quotation " marks: again you wont have to worry if you've used a parameterized query above, but if you plan on replacing characters in the SQL string they only become relevant if you are using double quotation marks within your INSERT / UPDATE script to delimit a string. ie:

INSERT INTO jsonTable (`ID`, `Json`) 
VALUES (5, 
/* Note how the string below begins and ends with (") */
"{ ""field"": ""value with escaped  \\""double\\"" quotation marks""}");

And:

ID    Json
-----------------------------------
5     { "field": "value with escaped \"double\" quotation marks" }

Sounds like you're just having a JavaScript issue. As a good practice, you should minimize the DOM manipulation actions by creating an array of the HTML items in order to append them with a single DOM method execution. Try this one:

var myArray = [{"text": "First"}, {"text": "Second"}, {"text": "\\ \' "}],
 items   = [];

for(nI = 0, nC = myArray.length; nI < nC; nI++) {
    items.push('<div><span>' + myArray[nI].text + '</span></div>');
}

$('#container').append(items.join(""));

Test it here

继续阅读:javascriptjqueryphpsql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9