I am writing a function that will sit in a external file that creates tables within a web DB. This is all being done with Javascript and HTML 5 local databases. I want to pass in a variable to generate the table name like:
mydb.transaction(function(tx) {
tx.executeSql('CREATE TABLE IF NOT EXISTS **?** (id INTEGER PRIMARY KEY, name TEXT)', [**DB_Table**]);
});
but understand that the question mark can only be used in place of literals is there any way around this?
No, there is no way to parameterise schema names. If you really need to allow dynamic names, you will have to encode them into a schema name literal manually.
The ANSI SQL format for schema name literals is to surround them in double-quotes, and replace any double-quote character inside the string with a doubled double-quote.
var txlit= '"'+tc.replace(/"/g, '""')+'"';
query= 'CREATE TABLE IF NOT EXISTS '+txlit+' (id INTEGER ...)';
Well, there are some reasons for the limits of sql parameters.
But I think you are facing the meta programming issue, so check out the StringTemplate.
With StringTemplate, it dons't force you to use it exclusively. It just a String template language for any purpose.
Unfortunately, StringTemplate don't support JavaScript, but I think that the philosophy of it's design is still worth to know.
Related
Im relatively new to javascript. I have an ID
btnradio_-1-1_4_-1
for an input button but it is being read as a Numeric Separator and giving me the error
Uncaught SyntaxError: Numeric separators are not allowed at the end of numeric literals
The ID is coming from a Model which reads all other data fine in the context. The format of the ID is as it is for tracking dynamic values on a razor/jquery web page, so its prefered that the ID format doesn't change.
How can you read it as just a string and not a Numeric Separator variable? I need the ID to call in a getElementByID().
I tried storing it in a separate string variable, as well as converting it to a string then using it, but I get the same error.
EDIT: My javascript is embedded in a razor section if that is causing any conflicts. I am unsure if its relevant or not. It is also alongside some jQuery.
#section scripts {
<script>
...
document.getElementById(#Model.ItemIDs[3]).className += "btn-check:active";
...
</script>
}
EDIT: I had the wrong ID pasted in the question. It has been corrected and should make more sense than the last one in the context
I'm programming in oTree (which is a Django based environment for social experiments) and I have the following problem. I defined some lists in Python and I'd like to import them and use them in an HTML template. If I print them in HTML I manage to see them without any problem, however, once I need to use them in Javascript, the program fails to read them and the single quotes of the elements of the list are converted in '.
The list is imported like this var filtered_elements = {{ array }};.
I think the problem is exactly here, as JS cannot work with them. Do you have any suggestion on how to do that? I considered using JSON, but since I'm quite new to programming, I cannot understand if it's just a waste of time or there is a simpler way out.
Thanks for your answers!
It sounds like your data is already JSON, otherwise you would be getting single quotes and u prefixes. So the only issue is Django autoescaping; you can disable it with the safe filter:
var filtered_elements = {{ array|safe }};
Your data should be JSON, instead of putting the Python list into the contact directly, put "array": json.dumps(array) in the context dictionary.
The JSON string doesn't need HTML escaping inside a tag, but it does need JS escaping! Otherwise some string may include something like </script><script>absolutely anything goes here... to run arbitrary JavaScript, if the JSON contains user data.
So use |escapejs:
var filtered_elements = {{ array|escapejs}};
I'm new on Laravel
and I search for a way to run queries
I'm not talking about select etc...
I want to run this query:
SET NAMES 'utf8'
This is question number one,
Now question number two:
I have data writen in hebrew in my db
and when I do on Laravel this code:
$todolist = DB::select('select * from todo');
return $todolist;
I get this result:
[{"id":1,"name":"\u05d1\u05dc\u05d4 \u05d1\u05dc\u05d4 \u05d1\u05dc\u05d4","done":0},{"id":2,"name":"\u05d1\u05dc\u05d4 \u05d1\u05dc\u05d4 \u05d1\u05dc\u05d4","done":1}]
What is this? unicode? how can I turn it to hebrew again?
My mission is to send it back to client side and then show it on the web page
How can I translate this from unicode to hebrew with Java Script ?
You can use the statement method of the DB class, like so:
DB::statement("SET NAMES 'utf8'");
I'm not entirely aware of the situation but I would recommend this be within a migration.
Regarding the unicode characters, those should render in views correctly and should be usable within Javascript (see http://codepen.io/anon/pen/LZpOqY)
i have read many things here about how to prevent SQL injection also on other website and forums. Only thing is thats it makes me really confused on the way how to protect your website when writing stuff to the database.
I'm creating as schol project something where there alot of input from the users wil be writte to the database, i'm currently check them by javascript if they contains iligal char. Then i use ajax to activate my controller, use the query in my model send it back to the view.
But lets go on on my problem.
If i validate a input first with javascript, (client-side), then server side with PHP. If i first check in php if the input contains iligal char like * '' `` > <, that kind of things. What you whould use in a query for geting information from the database. Then escape the whitescpases since i don't want to have things with spaces on the website as users input.
Then use mysqli_real_escape_string() on the input. Then send it to the query that will looks like this.
/**
* #param string
* #param string
* #return mixed
*/
public function updateUsername($oldUsername, $newUsername) {
return $this->_db->query("UPDATE `users` SET `username` = :new_username WHERE `username` = :old_username",
[':new_username' => $newUsername,':old_username' => $oldUsername]);
}
So
1 > Check using javascript
2 > Check by php on char like * < > ' #
3 > using mysqli_real_escape_string()
4 > To the PDO query
Is this a good way for prefending SQL injection, i really don't want to send my school project live in the air with SQL injection haha.
Greetz,
Also many thanks for reading my long story
No. Banning characters prevents people from using them and there are often valid reasons to use them. If it makes no sense for the characters to appear in the data, then you can filter them to help keep the data sane. Don't do it as a security measure.
Ditto
No. Parametrised queries are better.
Yes, but not in combination with mysqli_real_escape_string since you shouldn't mix APIs and if you used both you would double escape things and put \ characters in your data.
The problem I am trying to solve is this
Given a string containing code (entered by the user via some kind of web based form), such as:
"a = b + 5; return Math.abs(a);"
Extract a list of tokens that are considered identifiers:
a, b
In general are there readily available existing solutions? If not, what is a good starting point for writing an simple algorithm for this purpose?
I tried http://ace.c9.io/#nav=about, but was not able to find a method that readily returned the token type of an entire document. According to the API reference getTokens(Number row) should return the information I want. However, this method ended up returning the entire line as type text
Thank you in advance