"INSERT INTO
in [JavaScript]
|
Prev: CFP Applied Computing 2010: submissions until 28 May 2010
Next: FAQ Topic - How do I modify the content of the current page? (2010-04-14)
From: Evertjan. on 14 Apr 2010 17:35 Sean Kinsey wrote on 14 apr 2010 in comp.lang.javascript: > I cannot really say if either one is more versatile or readable; but I > do know that not specifying columns names, and just _hoping_ that the > order you call setSQLstr(foo) with is forever the same as the order of > the columns in the database is asking for trouble. I can say that. Not specifying the fieldnames is never done by me but was the mirroring of the OP's code. > And why bother with all that string concatenation. mirroring of the OP's code. He could not make head nor tail of it. > Actually, I will say that my code is more versatile as it supports > both INSERT and UPDATE without duplicating 90% of the code, and you > know what; I'm actually favoring my code with regards to readability > as well. You could certainly favour that, that is your prerogerative. Others might even condone that. Personally in a low use application I only INSERT empty records, that are immediately or later filled with an UPDATE. So the update function can be used both in updating and creating a record, and I don't have to botherr with the INSERT syntax peculiarities. And the id at time of creation is better defined. > What do you know.. Now you are asking too much! -- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress)
From: Stefan Weiss on 14 Apr 2010 23:31 On 14/04/10 10:48, Sean Kinsey wrote: > On Apr 14, 10:33 am, "Evertjan." <exjxw.hannivo...(a)interxnl.net> > wrote: >> function setSQLstr(theVar) { >> if (SQL!='') SQL += ','; >> SQL += "'" + theVar + "'"; >> }; .... > maybe even some proper escaping could be added :) I'd like to emphasize this point. JS has a bad enough reputation as it is, and posting code which actively encourages SQL injection is not exactly helpful. -- stefan
From: Stefan Weiss on 14 Apr 2010 23:39 On 15/04/10 05:31, Stefan Weiss wrote: > ... code which actively encourages SQL injection ... Just in case you don't know what I'm talking about: http://xkcd.com/327/ -- stefan
From: Evertjan. on 15 Apr 2010 10:04 Stefan Weiss wrote on 15 apr 2010 in comp.lang.javascript: > On 14/04/10 10:48, Sean Kinsey wrote: >> On Apr 14, 10:33 am, "Evertjan." <exjxw.hannivo...(a)interxnl.net> >> wrote: >>> function setSQLstr(theVar) { >>> if (SQL!='') SQL += ','; >>> SQL += "'" + theVar + "'"; >>> }; > ... >> maybe even some proper escaping could be added :) > > I'd like to emphasize this point. JS has a bad enough reputation as it > is, and posting code which actively encourages SQL injection is not > exactly helpful. That reputation only reflects on you, meseems. My above code does not "actively encourages SQL injection". -- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress)
From: Stefan Weiss on 15 Apr 2010 15:29
On 15/04/10 16:04, Evertjan. wrote: > Stefan Weiss wrote on 15 apr 2010 in comp.lang.javascript: > >> On 14/04/10 10:48, Sean Kinsey wrote: >>> On Apr 14, 10:33 am, "Evertjan." <exjxw.hannivo...(a)interxnl.net> >>> wrote: >>>> function setSQLstr(theVar) { >>>> if (SQL!='') SQL += ','; >>>> SQL += "'" + theVar + "'"; >>>> }; >> ... >>> maybe even some proper escaping could be added :) >> >> I'd like to emphasize this point. JS has a bad enough reputation as it >> is, and posting code which actively encourages SQL injection is not >> exactly helpful. > > That reputation only reflects on you, meseems. > > My above code does not "actively encourages SQL injection". Ok, fair enough. Your code is safe if you can guarantee that theVar has been sanitized before setSQLstr() is called, or if you know it can only contain safe characters. On the other hand, if you use this function to build an SQL string from user input (for example, from a web form), you're inviting abuse. If you added string escaping to your function, you wouldn't have to remember to escape each and every value before you call setSQLstr(), and you would never be surprised by unexpected input. It's your code, and you can do as you like. But if your insecure application turns up on Bugtraq because of a simple thing like that, it will reflect badly on the language (which does have a bad reputation, like it or not). -- stefan |