Making a javascript string sql friendly
Is there away to make a javascript string being passed to NodeJS friendly for MySQL? I'm trying to pass an email address to my NodeJS server and query into MySQL database. When doing regular text such as a username works fine, but the email address doesn't. Using escape clearly is not the right answer as it is not meant for S开发者_运维百科QL insertion. I'm assuming I need something on the lines of the PHP function mysql_real_escape_string().
It turns out that mysql_real_escape_string() is pretty trivial. According to the documentation:
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
Sounds pretty simple, actually. You could do something like this:
function mysql_real_escape_string (str) {
return str.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, function (char) {
switch (char) {
case "\0":
return "\\0";
case "\x08":
return "\\b";
case "\x09":
return "\\t";
case "\x1a":
return "\\z";
case "\n":
return "\\n";
case "\r":
return "\\r";
case "\"":
case "'":
case "\\":
case "%":
return "\\"+char; // prepends a backslash to backslash, percent,
// and double/single quotes
default:
return char;
}
});
}
NOTE: I haven't run this through any sort of unit test or security test, but it does seem to work -- and, just as an added bonus, it escapes tabs, backspaces, and '%' so it can also be used in LIKE queries, as per OWASP's recommendations (unlike the PHP original).
I do know that mysql_real_escape_string() is character-set-aware, but I'm not sure what benefit that adds.
There's a good discussion of these issues over here.
Learnt the hard way that passing numbers to this function causes the whole process it is used in to die quietly. So I add a little test:
function mysql_real_escape_string (str) {
if (typeof str != 'string')
return str;
return str.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, function (char) {
switch (char) {
case "\0":
return "\\0";
case "\x08":
return "\\b";
case "\x09":
return "\\t";
case "\x1a":
return "\\z";
case "\n":
return "\\n";
case "\r":
return "\\r";
case "\"":
case "'":
case "\\":
case "%":
return "\\"+char; // prepends a backslash to backslash, percent,
// and double/single quotes
}
});
}
For anyone who is coming to this answer from 2018 onwards it is also worth noting that a number of javascript database frameworks now contain a connection.escape method.
For instance:
var mysql = require('mysql')
var connection = mysql.createConnection( // your connection string here
var query = "SELECT THING FROM THING WHERE FRED= " + connection.escape( your_string_here );
Solution that works also for Frontend projects
Install sqlstring (a library maintained by mysqljs):
npm install sqlstring
if you use TypeScript you can also install the typings:
npm install @types/sqlstring
Then use it:
import { escape } from 'sqlstring';
const escapedString = escape(`it's going to be escaped!`);
In case someone is looking for, the escapeString() in CUBRID RDBMS works as follows:
var _escapeString = function (val) {
val = val.replace(/[\0\n\r\b\t\\'"\x1a]/g, function (s) {
switch (s) {
case "\0":
return "\\0";
case "\n":
return "\\n";
case "\r":
return "\\r";
case "\b":
return "\\b";
case "\t":
return "\\t";
case "\x1a":
return "\\Z";
case "'":
return "''";
case '"':
return '""';
default:
return "\\" + s;
}
});
return val;
};
This is an excerpt from CUBRID Node.js driver.
Using arrays instead of a case statement:
var regex = new RegExp(/[\0\x08\x09\x1a\n\r"'\\\%]/g)
var escaper = function escaper(char){
var m = ['\\0', '\\x08', '\\x09', '\\x1a', '\\n', '\\r', "'", '"', "\\", '\\\\', "%"];
var r = ['\\\\0', '\\\\b', '\\\\t', '\\\\z', '\\\\n', '\\\\r', "''", '""', '\\\\', '\\\\\\\\', '\\%'];
return r[m.indexOf(char)];
};
//Implementation
"Some Crazy String that Needs Escaping".replace(regex, escaper);
If you are playing with CJK characters http://en.wikipedia.org/wiki/CJK_characters or some special emotional icons of iOS/Android/Other mobiles ... such as "�‡‰™©
加载中,请稍侯......
精彩评论