0

I have a Node application running express and I want to escape apostrophes on the incoming request body properties, but I'm not confident this is the best way to do it.

exports.p_edit = function(req, res) {

    var args = [
        req.body.title.split("'").join("\\'"),
        req.files.thumbnail.name.split("'").join("\\'"),
        req.body.tags.split("'").join("\\'"),
        req.body.topic.split("'").join("\\'"),
        req.body.preview.split("'").join("\\'"),
        req.body.markdown.split("'").join("\\'")
    ];
    // ...
    // Do other stuff

I know I can use a for(prop in req.body) loop to iterate over the all request body properties, but how can I reassign the values dynamically to each property?

For example if I do

for(prop in req.body) {
    prop.split("'").join("\\'");
}

and later reference req.body.title (or any property), then the value is unchanged. Similarly, if I try to assign it like req.body.prop = prop.split("'").join("\\'"); (hoping that req.body.prop would change dynamically with each iteration) it simply adds the prop property to the req.body object. How can I dynamically iterate and reassign these properties?

James
  • 903
  • 7
  • 22
  • [Try bracket notation](https://stackoverflow.com/questions/695050/how-do-i-add-a-property-to-a-javascript-object-using-a-variable-as-the-name) – `req.body[prop] = req.body[prop].split("'").join("\\'");` – Jonathan Lonowski Jan 24 '17 at 06:24
  • Why do you need/want to escape them? Normally you only need this if you e.g. pass them to a database or similar and for such a case those libs communicating with a service that requires escaping normally provide a better way to do that. – t.niese Jan 24 '17 at 06:38
  • @t.niese What do you suggest doing? Most places I've looked online simply suggest stripping them out with something like what I've done. – James Jan 25 '17 at 00:06
  • Where do you use the data that requires the escaping of the `'`? Without knowing the later usage or the reason why you escape them it is not possibel to tell. But I never need to do that manually in any of my applications, because this was covered by the the corresponding libraries in a more reliable and saver way. Libraries that require escaping should know better what to and how to escape correctly and therefore in normaly provider those functionalities that should be used instead of own code. – t.niese Jan 25 '17 at 05:33
  • @t.niese I am doing a variety of things with the values, but they do get stored in a `mysql` db. I'm using the mysql npm module, but it doesn't escape them on its own. Is there a method within the module to sanitize input more reliably? – James Jan 25 '17 at 05:36
  • The mysql module does provide functionality to escape [values](https://github.com/mysqljs/mysql/blob/master/Readme.md#escaping-query-values) and [identfiers](https://github.com/mysqljs/mysql/blob/master/Readme.md#escaping-query-identifiers) by either using the escape function or by placeholders (`?`) in the query. And you should always use those functionality over your own one. – t.niese Jan 25 '17 at 05:41
  • @t.niese Thank you. This is better. – James Jan 25 '17 at 05:43
  • if you use the escape function then keep the escaping close to the place where you use it in the query. In generel it would suggest to only use the placeholders, or if you compose the query using `+` that you escape the values directly at this place, otherwise your code will not be easy to maintain. – t.niese Jan 25 '17 at 05:49

1 Answers1

2

If I understand your requirements correctly, you just need to change your loop to use bracket notation:

for(var prop in req.body) {
    if (req.body.hasOwnProperty(prop))
        req.body[prop] = req.body[prop].split("'").join("\\'");
}

JSFiddle: https://jsfiddle.net/wsahkozt/1/

Nick Coad
  • 3,623
  • 4
  • 30
  • 63