I've search around but not found an answer to this one.
Is there a function in Javascript similar to PHP's mysql_real_escape_string
to make safe user inputs before writing them to a WebSQL database?
If not, does anyone know of a custom made function out there that I could use?
UPDATE: So it seems like there is no native function, so I have written:
function sql_real_escape_string(val){
var val = val.replace('"','"');
val = val.replace('\'','’');
return val;
}
Are there any other characters that I should be replacing to be on the safe side?
The best answer to handling user input when inserting into databases is to employ paramaterization. The Web SQL API supports this:
var db = openDatabase('mydb', '1.0', 'my database', 2 * 1024 * 1024);
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (?, ?)', [id, userValue]);
});
Instead of this:
db.transaction(function (tx) {
tx.executeSql('INSERT INTO foo (id, text) VALUES (1, "user-entered value")');
});
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.