Making a javascript string sql friendly Making a javascript string sql friendly javascript javascript

Making a javascript string sql friendly


javascript sql string node.js escaping

It turns out that mysql_real_escape_string() is pretty trivial. According to the documentation:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

Sounds pretty simple, actually. You could do something like this:

function mysql_real_escape_string (str) {    return str.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, function (char) {        switch (char) {            case "\0":                return "\\0";            case "\x08":                return "\\b";            case "\x09":                return "\\t";            case "\x1a":                return "\\z";            case "\n":                return "\\n";            case "\r":                return "\\r";            case "\"":            case "'":            case "\\":            case "%":                return "\\"+char; // prepends a backslash to backslash, percent,                                  // and double/single quotes            default:                return char;        }    });}

NOTE: I haven't run this through any sort of unit test or security test, but it does seem to work -- and, just as an added bonus, it escapes tabs, backspaces, and '%' so it can also be used in LIKE queries, as per OWASP's recommendations (unlike the PHP original).

I do know that mysql_real_escape_string() is character-set-aware, but I'm not sure what benefit that adds.

There's a good discussion of these issues over here.

javascript sql string node.js escaping

Learnt the hard way that passing numbers to this function causes the whole process it is used in to die quietly. So I add a little test:

function mysql_real_escape_string (str) {    if (typeof str != 'string')        return str;    return str.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, function (char) {        switch (char) {            case "\0":                return "\\0";            case "\x08":                return "\\b";            case "\x09":                return "\\t";            case "\x1a":                return "\\z";            case "\n":                return "\\n";            case "\r":                return "\\r";            case "\"":            case "'":            case "\\":            case "%":                return "\\"+char; // prepends a backslash to backslash, percent,                                  // and double/single quotes        }    });}

javascript sql string node.js escaping

For anyone who is coming to this answer from 2018 onwards it is also worth noting that a number of javascript database frameworks now contain a connection.escape method.

For instance: 

var mysql = require('mysql')var connection = mysql.createConnection( // your connection string here var query = "SELECT THING FROM THING WHERE FRED= " + connection.escape( your_string_here );

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last