Revision as of 23:32, 15 March 2023 edit Mikhail Ryazanov (talk \| contribs) Extended confirmed users 24,662 edits m →Algorithms: style, punct. ← Previous edit		Revision as of 23:34, 15 March 2023 edit undo Mikhail Ryazanov (talk \| contribs) Extended confirmed users 24,662 edits m →Security issues: MOS:CAPS, fmt. Next edit →
Line 20: == Security issues == String interpolation, like string concatenation, may lead to security problems. If user input data is improperly escaped or filtered, the system will be exposed to [[SQL injection]], [[script injection]], [[XML ~~External~~external ~~Entity~~entity ~~Injection]]~~attack\|XML external entity (XXE) injection]], and [[cross-site scripting]] (XSS) attacks.<ref>{{cite web \|url=http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html#-autogen-id-1 \|title= Secure String Interpolation\|website=google-caja.googlecode.com \|archive-url=https://web.archive.org/web/20121019065315/http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html#-autogen-id-1 \|archive-date=2012-10-19}}</ref> An SQL injection example: query = "{{code\|2=sql\|1=SELECT x, y, z FROM Table WHERE id='$id'}} " If ''<code>$id</code>'' is replaced with ''"<code>'; {{code\|2=sql\|1=DELETE FROM Table; SELECT * FROM Table WHERE id='}}</code>"'', executing this query will wipe out all the data in <code>Table</code>. == Examples ==

String interpolation: Difference between revisions