Revision as of 04:27, 18 February 2011 edit Nadavidson (talk \| contribs) 8 edits added new page for string interpolation		Revision as of 04:57, 18 February 2011 edit undo Nadavidson (talk \| contribs) 8 edits No edit summary Next edit →
Line 64: String Interpolation leads to security problems. When failed to properly escape or filter user input data, system will expose to [[SQL Injection]], [[Script Injection]], [[XML External Entity Injection]] (XXE), and [[Cross Site Scripting]] (XSS) attacks.<ref>http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html#-autogen-id-1</ref> An example of SQL Injection will be like this: <source lang="text"> query = "SELECT x, y, z FROM Table WHERE id='" + id + "'" </source> If ''id'' is replaced with ''"'; DELETE FROM Table WHERE '' = '"'', executing this query will wipe out all the data on the local machine. == See also == [[String]] [[String literal]] [[Concatenation]] [[String exploits]] == Notes == {{Reflist}}

String interpolation: Difference between revisions