459

I want to URL encode this:

SELECT name FROM user WHERE uid = me()

Do I have to download a module for this? I already have the request module.

Improve this question
8
  • 11
    Indeed, this is a slippy road and should be avoided at all costs. Commented Jul 2, 2011 at 0:23
  • 30
    Are you trying to put SQL statement in your url??? be careful of the SQL Injection Attack! It's generally a bad idea to expose SQL to the users, it's really dangerous. Commented Aug 21, 2012 at 16:03
  • 5
    @LightnessRacesinOrbit: looks like an FQL-query. Commented Sep 21, 2012 at 7:19
  • 3
    @Demi: No? How would that work. DBMS permissions are not sufficiently fine-grained, even if every single SO user got their own DB account. Tell me where on SO you see SQL queries passed directly? The one exception is data explorer, but that's all read-only views, and it's certainly not put in the URL. Commented Feb 12, 2017 at 16:57
  • 33
    The guy could be building an SQL validation tool, nothing wrong with passing SQL commands in an example like that. Too much focus on not answering the question neither giving good advice (the most upvoted comment doesn't give good advice, only makes fun of the OP) Commented May 14, 2018 at 19:37

6 Answers 6

Reset to default
823

You can use JavaScript's encodeURIComponent:

encodeURIComponent('select * from table where i()')

giving

'select%20*%20from%20table%20where%20i()'
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

To save visitors a search, yes... decodeURIComponent is how you decode the encoded URI. You're welcome.
It helped me query in Bengali language using NodeJS. Thank you!
155

The built-in module querystring is what you're looking for:

var querystring = require("querystring");
var result = querystring.stringify({query: "SELECT name FROM user WHERE uid = me()"});
console.log(result);
#prints 'query=SELECT%20name%20FROM%20user%20WHERE%20uid%20%3D%20me()'
Improve this answer

3 Comments

in this case we can only pass a map not a string, so if arg is a string then you will see nothing in result. So if you have strings to encode use encodeURIComponent().
This is better for encoding JSON objects and POST-ing them.
Not if the string contains ' or " characters
52

Use the escape function of querystring. It generates a URL safe string.

var escaped_str = require('querystring').escape('Photo on 30-11-12 at 8.09 AM #2.jpg');
console.log(escaped_str);
// prints 'Photo%20on%2030-11-12%20at%208.09%20AM%20%232.jpg'
Improve this answer

2 Comments

This definitely appears to be the correct function; querystring.stringify() (in Nicolas' answer) seem to return an empty string now.
nodejs.org/api/… says: "The querystring.escape() method is used by querystring.stringify() and is generally not expected to be used directly."
32

Note that URI encoding is good for the query part, it's not good for the domain. The domain gets encoded using punycode. You need a library like URI.js to convert between a URI and IRI (Internationalized Resource Identifier).

This is correct if you plan on using the string later as a query string:

> encodeURIComponent("http://examplé.org/rosé?rosé=rosé")
'http%3A%2F%2Fexampl%C3%A9.org%2Fros%C3%A9%3Fros%C3%A9%3Dros%C3%A9'

If you don't want ASCII characters like /, : and ? to be escaped, use encodeURI instead:

> encodeURI("http://examplé.org/rosé?rosé=rosé")
'http://exampl%C3%A9.org/ros%C3%A9?ros%C3%A9=ros%C3%A9'

However, for other use-cases, you might need uri-js instead:

> var URI = require("uri-js");
undefined
> URI.serialize(URI.parse("http://examplé.org/rosé?rosé=rosé"))
'http://xn--exampl-gva.org/ros%C3%A9?ros%C3%A9=ros%C3%A9'
Improve this answer

2 Comments

I don't understand why xn-- is added in the second example. It will not work as an url or I missed something ?
Look on second "e" in http://examplé.org it is not ASCII character and should be presented as punnycode.
20

encodeURIComponent(string) will do it:

encodeURIComponent("Robert'); DROP TABLE Students;--")
//>> "Robert')%3B%20DROP%20TABLE%20Students%3B--"

⚠️ Passing SQL around in a query string might not be a good plan though: see this one

Improve this answer

1 Comment

We call him little Bobby Tables :-P
2

encodeURI

The encodeURI() method is used to encode a complete URL. This method encodes special characters except ~!$&@#*()=:/,;?+

encodeURIComponent

To encode special characters in URI components, you should use the encodeURIComponent() method. This method is suitable for encoding URL components such as query string parameters and not the complete URL.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.