I was told recently (on here) that concatenating your Javascript will cause XSS vulnerabilities. I have done my research on here and on google to find out why this bad, but I am not seeing it.
Part 1 – Javascript: Apparently something like this is the unsafe way. Why? How should you do it instead?
// part of a script dynamically making table rows
var el = document.createElement('div');
el.innerHTML = '<input type="text" id="myId'+id+'" />';
cellOne.appendChild(el);
Part 2 – MySQL: I was told that you when you concat SQL, it exposes you to SQL injections. I am not sure what they meant by concat SQL exactly. I assume they were not talking about the SQL concat function. I am guessing they meant:
$sql = " SELECT `col` FROM `table` WHERE `col` = '".$myFilteredVariable."' ";
Or maybe?
$sql = " SELECT `col` FROM `table` WHERE `col` = '".$myFilteredVariable."' ";
$sql .= " AND `col2` = '".$myvar.'";
Does this expose you to SQL injection?
The SQL part is academic. I use PDO to prevent SQL injection.
Part 1
It can be, if
idcomes from user input that persists on the page.The
idvariable may contain…Part 2
Unless those variables are escaped using the correct mechanism, there is a vulnerability.
The
$myvarvariable may contain…