439

I want to URL encode this:

SELECT name FROM user WHERE uid = me()

Do I have to download a module for this? I already have the request module.

TIMEX
  • 259,804
  • 351
  • 777
  • 1,080
  • 10
    Indeed, this is a slippy road and should be avoided at all costs. – Alfred Jul 02 '11 at 00:23
  • 5
    @LightnessRacesinOrbit: looks like an FQL-query. – nikc.org Sep 21 '12 at 07:19
  • 29
    Are you trying to put SQL statement in your url??? be careful of the [SQL Injection Attack](http://en.wikipedia.org/wiki/SQL_injection)! It's generally a bad idea to expose SQL to the users, it's really dangerous. – Leonmax Aug 21 '12 at 16:03
  • @LightnessRacesinOrbit Doesn't Stack Exchange do this? If I understand this, it uses permissions at the DBMS to keep anything bad from happening. – Demi Feb 12 '17 at 16:25
  • 3
    @Demi: No? How would that work. DBMS permissions are not sufficiently fine-grained, even if every single SO user got their own DB account. Tell me where on SO you see SQL queries passed directly? The one exception is data explorer, but that's all read-only views, and it's certainly not put in the URL. – Lightness Races in Orbit Feb 12 '17 at 16:57
  • @LightnessRacesinOrbit I was referring to read-only views. – Demi Feb 12 '17 at 17:22
  • 1
    @Demi: The answer's still no – Lightness Races in Orbit Feb 12 '17 at 17:28
  • 33
    The guy could be building an SQL validation tool, nothing wrong with passing SQL commands in an example like that. Too much focus on not answering the question neither giving good advice (the most upvoted comment doesn't give good advice, only makes fun of the OP) – Rafael Eyng May 14 '18 at 19:37

6 Answers6

793

You can use JavaScript's encodeURIComponent:

encodeURIComponent('select * from table where i()')

giving

'select%20*%20from%20table%20where%20i()'
Brian Burns
  • 20,575
  • 8
  • 83
  • 77
Joe
  • 80,724
  • 18
  • 127
  • 145
149

The built-in module querystring is what you're looking for:

var querystring = require("querystring");
var result = querystring.stringify({query: "SELECT name FROM user WHERE uid = me()"});
console.log(result);
#prints 'query=SELECT%20name%20FROM%20user%20WHERE%20uid%20%3D%20me()'
nicolaskruchten
  • 26,384
  • 8
  • 83
  • 101
52

Use the escape function of querystring. It generates a URL safe string.

var escaped_str = require('querystring').escape('Photo on 30-11-12 at 8.09 AM #2.jpg');
console.log(escaped_str);
// prints 'Photo%20on%2030-11-12%20at%208.09%20AM%20%232.jpg'
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Kamrul
  • 7,175
  • 3
  • 31
  • 31
  • 1
    This definitely appears to be the correct function; `querystring.stringify()` (in Nicolas' answer) seem to return an empty string now. – brandonscript May 13 '16 at 18:18
  • 7
    https://nodejs.org/api/querystring.html#querystring_querystring_escape_str says: "The `querystring.escape()` method is used by `querystring.stringify()` and is generally not expected to be used directly." – Simon Hänisch Aug 18 '17 at 01:24
32

Note that URI encoding is good for the query part, it's not good for the domain. The domain gets encoded using punycode. You need a library like URI.js to convert between a URI and IRI (Internationalized Resource Identifier).

This is correct if you plan on using the string later as a query string:

> encodeURIComponent("http://examplé.org/rosé?rosé=rosé")
'http%3A%2F%2Fexampl%C3%A9.org%2Fros%C3%A9%3Fros%C3%A9%3Dros%C3%A9'

If you don't want ASCII characters like /, : and ? to be escaped, use encodeURI instead:

> encodeURI("http://examplé.org/rosé?rosé=rosé")
'http://exampl%C3%A9.org/ros%C3%A9?ros%C3%A9=ros%C3%A9'

However, for other use-cases, you might need uri-js instead:

> var URI = require("uri-js");
undefined
> URI.serialize(URI.parse("http://examplé.org/rosé?rosé=rosé"))
'http://xn--exampl-gva.org/ros%C3%A9?ros%C3%A9=ros%C3%A9'
Flimm
  • 136,138
  • 45
  • 251
  • 267
  • I don't understand why `xn--` is added in the second example. It will not work as an url or I missed something ? – TOPKAT Jun 22 '21 at 11:26
  • 1
    Look on second "e" in `http://examplé.org` it is not ASCII character and should be presented as [punnycode](https://en.wikipedia.org/wiki/Punycode). – Jan aka uptech Dec 11 '21 at 02:56
18

encodeURIComponent(string) will do it:

encodeURIComponent("Robert'); DROP TABLE Students;--")
//>> "Robert')%3B%20DROP%20TABLE%20Students%3B--"

⚠️ Passing SQL around in a query string might not be a good plan though: see this one

John Culviner
  • 22,235
  • 6
  • 55
  • 51
0

encodeURI

The encodeURI() method is used to encode a complete URL. This method encodes special characters except ~!$&@#*()=:/,;?+

encodeURIComponent

To encode special characters in URI components, you should use the encodeURIComponent() method. This method is suitable for encoding URL components such as query string parameters and not the complete URL.

Milkncookiez
  • 6,817
  • 10
  • 57
  • 96