2

I want to escape all mysql special chars in a javascript string.

the escape() function does not work since it doesn't escape characters like +

Any suggestions?

Improve this question
1

2 Answers 2

Reset to default
2

See the documentation on binding parameters in Firefox's documentation for storage.

You should never try to construct SQL statements on the fly with values inserted in them. By binding the parameters, you prevent possible SQL injection attacks since a bound parameter can never be executed as SQL.

var statement = dbConn.createStatement("SELECT * FROM table_name WHERE id = :row_id");
statement.params.row_id = 1234;
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You could AJAX it to PHP and return the mysql_real_escape_stred value.

If you're escaping it for insertion into a database, you'll have to send it server-side anyway, right?

Improve this answer

6 Comments

I'm actually coding something in Firefox, so it's client side
@Tony Like, with a local database?
@Tony The first comment on the PHP Manual's mysql_real_escape_str page has a good list of what values would need to be changed (and even how to change them). I imagine it would be relatively trivial to implement that in JavaScript.
Isn't the database in Firefox SQLite? Not MySQL?
Probably just enough to make it dangerous to try to use the documentation of a different database to determine it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.