Making a javascript string sql friendly

by

It turns out that mysql_real_escape_string() is pretty trivial. According to the documentation:

mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.

Sounds pretty simple, actually. You could do something like this:

function mysql_real_escape_string (str) {
    return str.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, function (char) {
        switch (char) {
            case "\0":
                return "\\0";
            case "\x08":
                return "\\b";
            case "\x09":
                return "\\t";
            case "\x1a":
                return "\\z";
            case "\n":
                return "\\n";
            case "\r":
                return "\\r";
            case "\"":
            case "'":
            case "\\":
            case "%":
                return "\\"+char; // prepends a backslash to backslash, percent,
                                  // and double/single quotes
            default:
                return char;
        }
    });
}

NOTE: I haven’t run this through any sort of unit test or security test, but it does seem to work — and, just as an added bonus, it escapes tabs, backspaces, and ‘%’ so it can also be used in LIKE queries, as per OWASP’s recommendations (unlike the PHP original).

I do know that mysql_real_escape_string() is character-set-aware, but I’m not sure what benefit that adds.

There’s a good discussion of these issues over here.

More Related Contents:

  1. Escaping HTML strings with jQuery
  2. Replace multiple strings with multiple other strings
  3. Escaping Strings in JavaScript
  4. How to escape JavaScript in JSP?
  5. How to create streams from string in Node.Js?
  6. How can I insert new line/carriage returns into an element.textContent?
  7. How do I escape a string inside JavaScript code inside an onClick handler?
  8. How do I properly insert multiple rows into PG with node-postgres?
  9. How do I escape a string for a shell command in node?
  10. Javascript – Replacing the escape character in a string literal
  11. Convert JS object to JSON string
  12. Converting an object to a string
  13. How can I mock an ES6 module import using Jest?
  14. How to replace all occurrences of a string in JavaScript
  15. ReferenceError: fetch is not defined
  16. Is it possible to pass a flag to Gulp to have it run tasks in different ways?
  17. How to create a simple http proxy in node.js?
  18. How to sort in mongoose?
  19. How to use ES8 async/await with streams?
  20. Error: No Firebase App ‘[DEFAULT]’ has been created – call Firebase App.initializeApp()
  21. How to convert binary string to decimal?
  22. Secure distribution of NodeJS applications
  23. JavaScript performance difference between double equals (==) and triple equals (===)
  24. Difference between readFile() and readFileSync()
  25. How to handle errors from setTimeout in JavaScript?
  26. Cloning an Object in Node.js
  27. Create a string of variable length, filled with a repeated character
  28. String split returns an array with more elements than expected (empty elements)
  29. chart.js Failed to create chart: can’t acquire context from the given item
  30. Find and replace nth occurrence of [bracketed] expression in string

Leave a Comment