How do I escape data in Javascript for a client-side database like WebDB or Google Gears?
Question
If I'm using a client-side database like Google Gears or a WebDB implementation, what's the best way to escape the data to prevent SQL injection? Wrap it in encodeURI()?
Furthermore, do I even need to worry about it? There's a blurb here, http://code.google.com/apis/gears/api_database.html#Database-execute that makes me think it's handled for me, but I wasn't sure.
1 answers
solution1
4 ACCPTED 2010-12-02 08:09:12
You don't have to worry about quoting/escaping if you're using placeholders. So this:
resultSet = db.execute (
'INSERT INTO MYTABLE VALUES (?, ?, ?) WHERE id=?',
[some, variables, that_you_got_from, somewhere]
)
is fine as-is. If you're trying to build SQL by pasting a bunch of strings together then you're going to have problems so don't do that. However, there are cases where you'll need to paste strings together to get your SQL but there are safe ways around that; something like this tends to be a common case where you can use both placeholders and string concatenation:
var list = some_array_of_unknown_size_and_origin;
var qs = [ ];
for(var i = 0; i < list.size; ++i)
qs.push('?');
var rs = db.execute(
'UPDATE some_table SET col = 'blahblah' WHERE id IN (' + qs.join(',') + ')',
list
);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.