Timeline for Building SQL statement in javascript and casting variables as strings
Current License: CC BY-SA 3.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 11, 2013 at 13:14 | comment | added | Russell at ISC | If he builds queries as string literals and gets sql_geom and shedId from the client he'll be vulnerable to SQL injection either way. Bind variables are the best way to deal with that problem. | |
| Jul 10, 2013 at 23:56 | comment | added | blah238 | Not sure why you are writing SQL statements in JavaScript. This seems ripe for SQL injection. I would suggest building the SQL statements in server-side code. | |
| Jul 10, 2013 at 20:30 | answer | added | Russell at ISC | timeline score: 2 | |
| Jul 10, 2013 at 17:34 | comment | added | Jan | I'm also having the problem that when my incoming shedId is this: PU2_3900_3750 the browser returns this in the error: pu2_3900_3750. (It doesn't see the capital letters, hence the comparison fails). Maybe this is related to my question above, or at least maybe an answer will solve both problems. | |
| Jul 10, 2013 at 17:31 | history | asked | Jan | CC BY-SA 3.0 |