Loading ...
Sorry, an error occurred while loading the content.
Skip to search.

Re: [ydn-javascript] Re: datasource JSON string problem

Expand Messages
  • Satyam
    ... From: federico.galassi To: Sent: Thursday, March 06, 2008 9:01 AM Subject: [ydn-javascript] Re:
    Message 1 of 7 , Mar 6, 2008
      ----- Original Message -----
      From: "federico.galassi" <federico@...>
      To: <ydn-javascript@yahoogroups.com>
      Sent: Thursday, March 06, 2008 9:01 AM
      Subject: [ydn-javascript] Re: datasource JSON string problem

      > --- In ydn-javascript@yahoogroups.com, "Satyam" <satyam@...> wrote:
      >> Because it spares you from getting malicious code into your application.
      >> Ultimately, the
      > JSON decoder does eval() your string but not before validating and
      > ensuring it has no
      > executable code in it, just values.
      > malicious javascript is an exception, not the common case. Most ajax apps
      > will
      > be taking json from their own servers.

      Who says your server cannot be compromised? Never heard about SQL
      injection? SQL is not the only thing that can be injected into a database
      field, which your application might later happily disperse elsewhere. Even
      if you are secured against SQL injection, you might not be able to prevent
      injection of other code, such as JavaScript.

      > How much is the perfomance penalty between
      > parsing and eval'ing? is there a way to say datasource to just eval the
      > string?

      The JSON utility does eval() the JSON string, it simply uses a three or four
      regular expressions to validate it before it does so. It does very little at
      JavaScript interpreter speed and it does no looping so calling the regexp
      engine (which is fast enough) three or four times before the actual eval()
      doesn't really add much.


      > Federico
      > Yahoo! Groups Links
      > --
      > No virus found in this incoming message.
      > Checked by AVG Free Edition.
      > Version: 7.5.516 / Virus Database: 269.21.5/1314 - Release Date:
      > 05/03/2008 18:38
    Your message has been successfully submitted and would be delivered to recipients shortly.