Revision as of 03:55, 4 October 2013 edit 186.60.214.125 (talk) No edit summary ← Previous edit		Revision as of 14:58, 14 October 2013 edit undo Frap (talk \| contribs) Extended confirmed users, File movers, Pending changes reviewers, Rollbackers 35,597 edits →Security Issues Next edit →
Line 155: </source> == Security ~~Issues~~issues == String Interpolation, like string concatenation, may lead to security problems. When failed to properly escape or filter user input data, system will expose to [[SQL ~~Injection~~injection]], [[~~Script~~script ~~Injection~~injection]], [[XML External Entity Injection]] (XXE), and [[~~Cross Site~~cross-site ~~Scripting~~scripting]] (XSS) attacks.<ref>http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html#-autogen-id-1</ref> An example of SQL ~~Injection~~injection will be like this: query = "SELECT x, y, z FROM Table WHERE id='$id' "▼ ~~<source lang="text">~~ ▲query = "SELECT x, y, z FROM Table WHERE id='$id' " ~~</source>~~ If ''$id'' is replaced with ''"'; DELETE FROM Table; SELECT * FROM Table WHERE id='"'', executing this query will wipe out all the data in Table.

String interpolation: Difference between revisions