If I'm using a client-side database like Google Gears or a WebDB implementation, what's the best way to escape the data to prevent SQL injection? Wrap it in encodeURI()?
Furthermore, do I even need to worry about it? There's a blurb here, http://code.google.com/apis/gears/api_database.html#Database-execute that makes me think it's handled for me, but I wasn't sure.
You don't have to worry about quoting/escaping if you're using placeholders. So this:
resultSet = db.execute ( 'INSERT INTO MYTABLE VALUES (?, ?, ?) WHERE id=?', [some, variables, that_you_got_from, somewhere] )
is fine as-is. If you're trying to build SQL by pasting a bunch of strings together then you're going to have problems so don't do that. However, there are cases where you'll need to paste strings together to get your SQL but there are safe ways around that; something like this tends to be a common case where you can use both placeholders and string concatenation:
var list = some_array_of_unknown_size_and_origin; var qs = [ ]; for(var i = 0; i < list.size; ++i) qs.push('?'); var rs = db.execute( 'UPDATE some_table SET col = 'blahblah' WHERE id IN (' + qs.join(',') + ')', list );