php - Escaping input for insertion into XQuery string -


say have following code:

let $search := "placeholder" ... ...functx:get-matches-and-non-matches($t,$search)...

this code stored in file, gets loaded string (by php), placeholder gets replaced user input, , code gets executed.

obviously, " needs escaped somehow.

is there other stuff needs escaped or removed before user input safe?

so far, discovered need replace " " stuff work, , in process discovered \ needs \\ here (or \\, makes "\\\\" in php) , escaping { , } might idea, because make regex parser throw otherwise.

don't dynamically construct queries if don't have to, you'll have put lots of effort escaping prevent code injections (and still might overlook parameter somewhere). consider using externally bound variables instead, can compared prepared statements in sql.

as seem use basex , php, example basex php binding:

// create query instance $input = 'declare variable $name external; $i in 1 10 return element { $name } { $i }'; $query = $session->query($input); // bind variable $query->bind("name", "number"); // print results print $query->execute()."\n";

if you're using interface basex, registering external variables should possible of them. other xquery implementations should provide similar mechanics bind variables, external variables officially xquery standard.


Comments

Post a Comment

Popular posts from this blog

javascript - Bootstrap Popover: iOS Safari strange behaviour -

i looking through twitter bootstrap documentation, , i'm interested in implementing dismissible popover when button clicked. here example bootstrap's docs: http://getbootstrap.com/javascript/#dismiss-on-next-click when press "dismissible popover" button os x safari browser works fine. when access same link above ios safari, button not work. is, popover not dismissed on click. why button not working ios safari? the example linked using data-trigger="focus" attribute. try changing data-trigger="click" . <a tabindex="0" class="btn btn-lg btn-danger" role="button" data-toggle="popover" data-trigger="click" title="dismissible popover" data-content="and here's amazing content. it's engaging. right?">dismissible popover</a>
Read more

Magento/PHP - Get phones on all members in a customer group -

i working on custom magento extension. working around adminhtml part , i've created custom form there. here form code: <?php class vivasindustries_smsnotification_block_adminhtml_sms_sendmass_edit_form extends mage_adminhtml_block_widget_form { public function _preparelayout() { $extensionpath = mage::getmoduledir('js', 'vivasindustries_smsnotification'); $head = $this->getlayout()->getblock('head'); $head->addjs('jquery.js'); $head->addjs('vivas.js'); return parent::_preparelayout(); } protected function _prepareform() { $form = new varien_data_form(array( 'id' => 'edit_form', 'action' => $this->geturl('*/*/save', array('id' => $this->getrequest()->get...
Read more

session - Logging Out Using PHP -

i have seen other programs regarding can't seem make work. doing wrong? want achieve after user logged out, going previous pages become restricted. i have 3 php files: 1. sample.php - main page username , password filled in 2. successful.php - user's page after logging in 3. logout.php - destorys session hinder user access pages after logging out sample.php </html> <form action="" method="post"> <table> <tr> <td>username:</td> <td>password:</td> </tr> <tr> <td><input type="text" name="username"></td> <td><input type="password" name="password"></td> </tr> <tr> <td><input type="submit" value="submit" name="submit"></td> </tr> </table> </form> </html> <?php $servername = "localhost"; $username = ...
Read more