How do I escape data in Javascript for a client-side database like WebDB or Google Gears?

If I'm using a client-side database like Google Gears or a WebDB implementation, what's the best way to escape the data to prevent SQL injection? Wrap it in encodeURI()?

Furthermore, do I even need to worry about it? There's a blurb here, http://code.google.com/apis/gears/api_database.html#Database-execute that makes me think it's handled for me, but I wasn't sure.

Answers


You don't have to worry about quoting/escaping if you're using placeholders. So this:

resultSet = db.execute (
  'INSERT INTO MYTABLE VALUES (?, ?, ?) WHERE id=?',
  [some, variables, that_you_got_from, somewhere]
)

is fine as-is. If you're trying to build SQL by pasting a bunch of strings together then you're going to have problems so don't do that. However, there are cases where you'll need to paste strings together to get your SQL but there are safe ways around that; something like this tends to be a common case where you can use both placeholders and string concatenation:

var list = some_array_of_unknown_size_and_origin;
var qs   = [ ];

for(var i = 0; i < list.size; ++i) 
    qs.push('?');

var rs = db.execute(
    'UPDATE some_table SET col = 'blahblah' WHERE id IN (' + qs.join(',') + ')',
    list
);

Need Your Help

How to keep a fixed UITextField below UITableView ?

objective-c ios uitextfield uitableview

I have been reading all over the web about this and still can't understand what is the proper way of handling the following:

Why can Razor not see ViewBag, Url.Content, etc. when the layout page is outside ~/Views/Shared?

layout razor viewbag

I'm working on a CSS framework that I can drop in to other projects as a NuGet package.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.