Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <blockquote> <p>is it the best practice?</p> </blockquote> <p>No. In fact you've got HTML-injection problems leading to bugs, and in the worst case where the injected strings may contain user-submitted content, XSS security holes.</p> <p>When you put plain text content and attribute values into an HTML string, you <em>must</em> HTML-encode them. In PHP, you have to call <code>htmlspecialchars()</code> on strings going into HTML to do it. In JavaScript, you don't get a built-in HTML-escaping function, so you have to make your own, eg. by using <code>s.replace(/&amp;/g, '&amp;amp;').replace(/&lt;/g, '&amp;lt;').replace(/"/g, '&amp;quot;')</code> on the string going into the HTML.</p> <blockquote> <p>onclick="someFunc(\'{STRING}\');"</p> </blockquote> <p>That's a whole new level of escaping mess. In a JavaScript string literal inside an event handler attribute, you would have to JS-encode the string (<code>\</code>-escaping <code>'</code> and <code>\</code> plus a few Unicode characters for completeness) <em>and</em> then HTML-encode the results. Otherwise the string can break out of its string-literal delimiter and inject arbitrary JS code. Avoid inline event handler attributes in all cases, but especially in templating.</p> <p>Creating page content with HTML strings sucks. You are very likely to make escaping errors and compromise the security of your application. Use DOM-like methods instead and you don't have to worry about this. You seem to be using jQuery, so try the jQuery 1.4 element creation shortcuts:</p> <pre><code>$('&lt;tr&gt;').append( $('&lt;td&gt;').append( $('&lt;a&gt;', { href: o.link, text: o.word, onclick: function() { someFunc(o.string); } }) ) ); </code></pre> <p>or, keep your blank row actually inside the document as HTML, but then hide it (<code>display: none</code>) or detach it from the document at start time (<code>removeChild</code> or jQuery <code>detach</code>). Then when you want a new row, clone the blank row and make the changes you need:</p> <pre><code>var blankRow= $('#blankRow').detach(); ... var newRow= blankRow.clone(); var link= newRow.find('td&gt;a'); link.attr('href': o.link); link.text(o.word); link.click(function() { someFunc(o.string); }); </code></pre> <p>If you must create content from string templates, ensure your templating function HTML-escapes every replacement by default, and attach events by selecting nodes inside the parsed content to call <code>click(function() { ... })</code> on. Or use event delegation (eg. jQuery <code>live()</code>) to handle events without having to bind to new nodes when added.</p>
    singulars
    1. This table or related slice is empty.
    1. POBest practice for inserting large chunks of HTML into elements with Javascript?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USbobince
    1. USbobince
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POBest practice for inserting large chunks of HTML into elements with Javascript?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COMan... what a mission. Thanks for your help. Really wish I was using jquery instead of prototype now :(
      singulars
      1. PO
      1. UShamstar
    2. CO@hamstar: Oops! I should have spotted that was a Prototype ID selector `$` not jQuery. D'oh. Prototype has a similar (IMO: in some ways better) shortcut for creating elements, `new Element`. See http://prototypejs.org/2007/5/12/dom-builder
      singulars
      1. PO
      1. USbobince
    3. COSweet! I might have to give that a go :) Cheers
      singulars
      1. PO
      1. UShamstar
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload