12

I need to modify the value using javascript, to make it ready to be put as part of a SQL insert query.

Currently I have the following code to handle the single quote ' character. 

value = value.replace(/'/g, "\\'");

This code works without an issue. Now I noticed that stand-alone backslashes are causing errors.

How can I remove those stand alone backslashes?

Christofer Eliasson
  • 32,939
  • 7
  • 74
  • 103
user1052933
  • 191
  • 2
  • 4
  • 8
  • 5
    You should never trust data comming from the user in a way where it is used directly in a query. Escaping data should be done server-side, otherwise there is a great risk that you will be hacked using SQL-injections, since it is easy to bypass a JavaScript. – Christofer Eliasson Dec 30 '11 at 23:22
  • 2
    I'm very scared by the fact that you are creating SQL statements with JavaScript. Do you actually have an SQL library written in JavaScript (I didn't think that existed), or are you sending the SQL statements to the web server for execution there? If it is the latter, _you have a *major* security hole!_ You _must_ create the SQL statements on the server. – Aasmund Eldhuset Dec 30 '11 at 23:23
  • 4
    I really hope this is server side JavaScript somehow, like nodejs. – Mattias Wadman Dec 30 '11 at 23:24
  • 1
    Don't use JavaScript to alter content going into a database. Clearly this is a security question about preventing character injection. I can turn off JavaScript, or simply remove your client side code using Firebug, and then inject what ever I want into your database. – austincheney Dec 30 '11 at 23:24
  • It's possible (though highly unlikely) that this query is being created server-side with Node.js or whatever. That'd make a JS SQL library useful. But client-side, yeah -- this is trouble just waiting to happen. – cHao Dec 30 '11 at 23:25
  • 1
    @AasmundEldhuset: *"Do you actually have an SQL library written in JavaScript (I didn't think that existed)"* JavaScript is just a language. I use it server-side (and on the desktop, non-web) all the time. In fact, some of its first uses were server-side, in the old Netscape Application Server. It has traditionally been used more in web browsers than anywhere else, but it's **never** been limited to that, and server-side JavaScript is on the rise. – T.J. Crowder Dec 30 '11 at 23:30
  • @austin: All true. **If** you assume he's talking about *client-side* JavaScript. ;-) – T.J. Crowder Dec 30 '11 at 23:37
  • @T.J.Crowder: True; I forgot about node.js and the like - I should have said "creating SQL statements with _client-side_ JavaScript". – Aasmund Eldhuset Dec 30 '11 at 23:45
  • Thank you for all the answers and comments. To answer the comments - all of you are correct. I would not dream of doing this with client side javascript / browser. This a server side javascript only / something like node.js – user1052933 May 29 '12 at 19:25

2 Answers2

25

Now I noticed that stand-alone backslashes are causing errors.

Backslashes in the string you're operating on won't have any effect on replacing ' characters whatsoever. If your goal is to replace backslash characters, use this:

value = value.replace(/\\/g, "whatever");

...which will replace all backslashes in the string with "whatever". Note that I've had to write two backslashes rather than just one. That's because in a regular expression literal, the backslash is used to introduce various special characters and character classes, and is also used as an escape — two backslashes together in a regular expression literal (as in a string) represent a single actual backslash in the string.

To change a single backslash into two backslashes, use:

value = value.replace(/\\/g, "\\\\");

Note that, again, to get a literal backslash in the replacement string, we have to escape each of the two — resulting in four in total in the replacement string.

I need to modify the value using javascript, to make it ready to be put as part of a SQL insert query.

You don't want to do this by hand. Any technology that allows you to make database queries and such (JDBC, ODBC, etc.) will provide some form of prepared or parameterized statement (link), which deals with these sorts of escaping issues for you. Doing it yourself is virtually guaranteed to leave security holes in your software which could be exploited. You want to use the work of a team that's had to think this through, and which updates the resulting code periodically as issues come to light, rather than flying alone. Further, if your JavaScript is running on the client (as most is, but by no means all — I use JavaScript server-side all the time), then nothing you do to escape the string can make it safe, because client requests to the server can be spoofed, completely bypassing your client-side code.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
3

You should use a escape function provided by some kind of database library, rolling your own will only cause trouble.

Mattias Wadman
  • 11,172
  • 2
  • 42
  • 57