2

I want to escape all mysql special chars in a javascript string.

the escape() function does not work since it doesn't escape characters like +

Any suggestions?

Tony Stark
  • 3,353
  • 7
  • 26
  • 30
  • For Archive purpose: the accepted answer here works great http://stackoverflow.com/questions/7744912/making-a-javascript-string-sql-friendly – leticia Aug 14 '13 at 19:12

2 Answers2

2

See the documentation on binding parameters in Firefox's documentation for storage.

You should never try to construct SQL statements on the fly with values inserted in them. By binding the parameters, you prevent possible SQL injection attacks since a bound parameter can never be executed as SQL.

var statement = dbConn.createStatement("SELECT * FROM table_name WHERE id = :row_id");
statement.params.row_id = 1234;
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

You could AJAX it to PHP and return the mysql_real_escape_stred value.

If you're escaping it for insertion into a database, you'll have to send it server-side anyway, right?

sdleihssirhc
  • 42,000
  • 6
  • 53
  • 67
  • I'm actually coding something in Firefox, so it's client side – Tony Stark Jan 29 '11 at 05:44
  • @Tony Like, with a local database? – sdleihssirhc Jan 29 '11 at 05:45
  • 1
    @Tony [The first comment](http://www.php.net/manual/en/function.mysql-real-escape-string.php#101248) on the PHP Manual's `mysql_real_escape_str` page has a good list of what values would need to be changed (and even how to change them). I imagine it would be relatively trivial to implement that in JavaScript. – sdleihssirhc Jan 29 '11 at 05:51
  • Isn't the database in Firefox SQLite? **Not** MySQL? – Quentin Jan 29 '11 at 06:08
  • @David I wondered about that, but how different could the amount and kinds of dangerous characters differ among SQL dialects? – sdleihssirhc Jan 29 '11 at 06:09
  • 2
    Probably just enough to make it dangerous to try to use the documentation of a different database to determine it. – Quentin Jan 29 '11 at 06:10