3

I need to make a JavaScript string which is passed into Node.js friendly for MSSQL.

This question: Making a javascript string sql friendly has a great answer that explains how to escape strings for MySQL:

Credit to Paul D'Aoust

function mysql_real_escape_string (str) {
    return str.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, function (char) {
        switch (char) {
            case "\0":
                return "\\0";
            case "\x08":
                return "\\b";
            case "\x09":
                return "\\t";
            case "\x1a":
                return "\\z";
            case "\n":
                return "\\n";
            case "\r":
                return "\\r";
            case "\"":
            case "'":
            case "\\":
            case "%":
                return "\\"+char; // prepends a backslash to backslash, percent,
                                  // and double/single quotes
        }
    });
}

I need to achieve the exact same thing for MSSQL.

I have spent the last hour (probably longer) searching for an answer however, there does not seem to be a lot of documentation on the internet that explains how to do this. The official mssql package documentation only mentions prepared statements however, I want to find a way to do this without prepared statements.

Improve this question
3
  • 3
    Why do you not want to use parameterized queries? They're the correct approach (even for MySQL). Commented Sep 13, 2017 at 2:04
  • Question upvoted, but what is stopping you from writing a similar user defined function in SQL Server? Commented Sep 13, 2017 at 2:04
  • 1
    "however, I want to find a way to do this without prepared statements." - No, you really don't. Unless you are prepared to make are really compelling case that explains all the details of why your situation is too special for prepared statements. Everyone is using prepared statements/parameters to communicate with databases. Even really, really complex solutions do it. Why do you think you can't? Commented Sep 13, 2017 at 3:38

2 Answers 2

Reset to default
1

use parameterized queries instead. because it is handed to the sql server itself to take care of the responsibilities of inserting said value to the database. so it understands better that the data is one string that should not be interpreted by any means as sql directives / syntax (e.g: when the user entered "'", it could terminate the string when using unparameterized queries, instead, use parameterized queries, normally written like (or atleast in mysql, idk about mssql):

SELECT * FROM TABLE 'users' WHERE id = ?

in this case, it is retrieving all users with the id specified via the library used for connecting and querying to the database, e.g: mysql package for node js (installed via npm) for connecting to mysql databases.

so if we provide the id (first parameter) to be 12, it would select all users with the id 12. if the user provided 12', it would interpret it as "12'" so if the id was a string, the quote in the input will not close the string. instead, interpreted as raw string data, not mysql code, making it more secure against sql-injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

Should be str.replaceAll instead of str.replace otherwise just the first occurrence will be processed.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.