Revision as of 02:08, 25 October 2011 edit Vadmium (talk \| contribs) 5,381 edits WP:Ambiguous link → String (computer science) ← Previous edit		Revision as of 17:31, 24 November 2011 edit undo Riffraff~enwiki (talk \| contribs) 31 edits →Security Issues Next edit →
Line 69: == Security Issues == String Interpolation, ~~leads~~like string concatenation, may lead to security problems. When failed to properly escape or filter user input data, system will expose to [[SQL Injection]], [[Script Injection]], [[XML External Entity Injection]] (XXE), and [[Cross Site Scripting]] (XSS) attacks.<ref>http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html#-autogen-id-1</ref> An example of SQL Injection will be like this: <source lang="text"> query = "SELECT x, y, z FROM Table WHERE id= '~~" +~~ $id ~~+ "~~'" </source> If ''id'' is replaced with ''"'; DELETE FROM Table WHERE '' = '"'', executing this query will wipe out all the data on the local machine.

String interpolation: Difference between revisions