How to escape? data that is being inserted into sqlite database.

I'm making an apple app using phone gap (which uses sqlite database).

All my inserts work fine except for when I try to insert a weblink. This errors because there are " characters in the weblink.

Using the following:

var content = 'hello, this is my <a href="www.google.com">link</a>'
tx.executeSql('UPDATE PAGES SET co开发者_高级运维ntent="'+content+'" WHERE id="1"');

Brings back the following error

error code 1
error: "near "http": syntax error"

If I remove the website address, I don't get an error. I have tried: content = escape(content);

but that hasn't worked.

Use parameter binding. This is the right and the safest way to do what you're trying to do.

tx.executeSql('UPDATE PAGES SET content=? WHERE id=1', [content]);

To escape quotes in SQLite you'll have to repeat the quotes.

So to insert a 7" screen you'll have to put a 7"" screen in the INSERT statement.

The problem is the quote marks. They change the meaning of the SQL request and cause the error.

I can't find any information on escaping them properly. I read that you can put \ before them and then add ESCAPE ("\") to the SQL statement, but this doesn't seem to work with PhoneGap's implementation.

In the end, I did a simple replace, where single or double quote marks are replaced with ", like so:

var thisNotes = $('textarea#notes').val().replace(/(["'])/g,'"');

I just need to display quote marks in a text field however - I don't need them as part of a HTML link, so I'm not sure whether the link would still work. You may need to reverse the replace before displaying the link.

Hope this helps.

use javascript replace maybe create a function like so:

function CleanDbData( dirty ){
     var clean = dirty.replace( "/"","''").replace("<script>","[script]");
     return clean;
}

var mydata = CleanDbData( dirtydata );

this is not AS is, you will have to mess with regex etc but you get the idea [hopefully]