1

I am developing an extension for Firefox and I have created SQLite DB. When inserting values into the table I get an error message:

Error: Permission denied for http://en.wikipedia.org to call method UnnamedClass.toString on <>.

The string values to be inserted are stored in a variable.

var book = "Harry Potter";
var myInsertQuery = 'INSERT INTO mybooks_tbl(title) VALUES('+ book + ');';

How do we insert data into the table as variables and not as strings?

Improve this question
1
  • 1
    That error message is quite unlikely to have anything to do with your problem.. Care to post more of the code? Commented Oct 18, 2009 at 12:46

3 Answers 3

Reset to default
2

SQLite follows the ANSI standard for string literals:

A string constant is formed by enclosing the string in single quotes ('). A single quote within the string can be encoded by putting two single quotes in a row

so:

function sqlstr(s) {
    return "'"+s.replace(/'/g, "''")+"'";
}

var query= 'INSERT INTO books(title) VALUES('+sqlstr(book)+');';

You must remember to escape all string literals like this, or you will have made a client-side SQL-injection hole.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Really, you shouldn't do the escaping yourself, however. You should use the binding functions that are available and let the engine handle it for you: developer.mozilla.org/En/Storage#Binding_Parameters
Thanks and i found a way around it by binding the parameter.
1

There is error in the string only var query= 'INSERT INTO books(title) VALUES('+sqlstr(book)+');';

tx.executeSql('INSERT INTO CLASS_LIST ("class_title","") VALUES("+v.classTitle+")');

Improve this answer

Comments

0

For sqlite3:

After some research, I found a simple way to not worry about assembling the string of a query. You've just to add parameters with colon ahead.

let myObj = {
    paramOne: "First value",
    paramTwo: "Second value",
};
let sqlQuery = 'INSERT INTO myTable VALUES(:paramOne, :paramTwo);';

# Run command and variable will be replaces
db.run(sqlQuery, [myObj.paramOne, myObj.paramTwo], ...)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.