I've found few similar questions here, but no one contains sufficient answer.
Webapp has bunch of input fields. I need to escape all the special characters when i'm attempting to INSERT input's values into PG 9.5 database.
This one looks good:
Escape string for use in Javascript regex
But it doesn't escape quotes. Due to this, I suppose, it may not escape other special characters.
Some other suggestions modifies the original value. E.g. if i'm posting a comment, and this comment contain one single quote, then i want to see exactly one single quote, when this comment gets rendered from database.
Asked
Active
Viewed 3,014 times
1
-
If you use parameterized SQL with stored procedure special characters shouldn't be a problem.also, you shouldn't escape special characters from the user input, or else, the outlook maybe different. How you're inserting record to the database..? – User2012384 Jan 19 '16 at 04:22
-
I'm using node-postgres (https://github.com/brianc/node-postgres) Client side sends json object to the nodejs server. Server has custom function, which transform json object into `INSERT` query. – stkvtflw Jan 19 '16 at 04:30
-
Which language are you using on the code behind..? PHP?ASP.NET? – User2012384 Jan 19 '16 at 04:32
-
i'm using javascript – stkvtflw Jan 19 '16 at 04:34
-
In that case, is it possible to use the "replace" function in javascript? http://www.w3schools.com/jsref/jsref_replace.asp e.g.: var insertStatement = youInsertStatement.replace("'", "''") – User2012384 Jan 19 '16 at 04:36
-
1of course. I get what you mean. I'm able to write replace function. What i need is the 'replace' function, which replaces all the dangerous characters. Or, at least, a list of all such characters. I believe this is very common issue, I've just didn't found this function or the list of characters, which everyone uses. – stkvtflw Jan 19 '16 at 04:41
-
function replaceSpecialCharacters(yourString){return yourString.replace("'", "''");} – User2012384 Jan 19 '16 at 06:01