[英]Escape special characters in Javascript SQL Query
I'm trying to send an SQL query with javascript using a variable sourced from an input. 我正在尝试使用源自输入的变量使用javascript发送SQL查询。 In this input, characters like ' and " along with others may be entered. 在此输入中,可以输入'和'等字符以及其他字符。
Here's what my script function looks like: 这是我的脚本函数的样子:
function insertJobDesc (r) {
rowid=r;
var qty = document.getElementById('Qty' + r).value;
var desc = document.getElementById('Desc' + r).value;
desc = desc.replace(/&/g, "&").replace(/>/g, ">").replace(/</g, "<").replace(/"/g, '"""').replace(/'/g, '"'"');
sendAsync("editDatabase.php?sql=UPDATE+jobdesc+SET+qty="+qty+",+description='"+desc+"',+rowID="+rowid+"+WHERE+id="+rowid+"+AND+jobID="+jobID);
}
An example of the value for 'desc' that I'd want to send is: 80-0234-1 6'5" GATE So it's a combination of numbers, letters, and special characters. I tried to replace each of them but it didn't work out. 我要发送的'desc'值的一个示例是:80-0234-1 6'5“ GATE所以它是数字,字母和特殊字符的组合。我尝试替换它们中的每一个,但是没有解决。
Any ideas? 有任何想法吗?
Use encodeURIComponent() 使用encodeURIComponent()
function insertJobDesc (r) {
rowid=r;
var qty = document.getElementById('Qty' + r).value;
var desc = encodeURIComponent(document.getElementById('Desc' + r).value);
sendAsync("editDatabase.php?sql=UPDATE+jobdesc+SET+qty="+qty+",+description='"+desc+"',+rowID="+rowid+"+WHERE+id="+rowid+"+AND+jobID="+jobID);
}
Disclaimer: Don't ever do anything like this... 免责声明:永远不要做这样的事情...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.