Home >Database >Mysql Tutorial >How Can I Safely Insert JavaScript Strings into SQL Queries in Node.js to Prevent SQL Injection?

How Can I Safely Insert JavaScript Strings into SQL Queries in Node.js to Prevent SQL Injection?

Mary-Kate OlsenOriginal: 2025-01-01 07:52:12158browse

Securing JavaScript Strings for SQL Queries in NodeJS

When passing user-provided strings to NodeJS for SQL database insertion, it's crucial to prevent SQL injection vulnerabilities. Regular text handling may suffice for simple data like usernames, but email addresses require special care. This article explores a solution to enhance the SQL friendliness of JavaScript strings.

Emulating MySQL's mysql_real_escape_string()

The PHP function mysql_real_escape_string() sanitizes strings for safe SQL insertion. However, NodeJS does not offer a native equivalent natively. To remedy this, a custom function can be implemented to mimic its functionality by escaping characters that are problematic in SQL queries.

The following code provides a custom mysql_real_escape_string() function for JavaScript:

function mysql_real_escape_string(str) {
    return str.replace(/[\x08\x09\x1a\n\r"'\\%]/g, function(char) {
        switch (char) {
            case "":
                return "\0";
            case "\x08":
                return "\b";
            case "\x09":
                return "\t";
            case "\x1a":
                return "\z";
            case "\n":
                return "\n";
            case "\r":
                return "\r";
            case "\"":
            case "'":
            case "\":
            case "%":
                return "\"+char;
            default:
                return char;
        }
    });
}

This function replaces specified characters with their escaped counterparts, rendering the string safe for SQL insertion. It even extends the scope of escaped characters to include tabs, backspaces, and '%', ensuring compatibility with LIKE queries.

Note on Character Set Awareness

MySQL's mysql_real_escape_string() is character-set-aware, but the custom function provided here does not consider character sets. However, its broad character escaping ensures that it works reliably across most scenarios.

Further Reading

For more information and discussions on SQL injection prevention, refer to the OWASP website.

The above is the detailed content of How Can I Safely Insert JavaScript Strings into SQL Queries in Node.js to Prevent SQL Injection?. For more information, please follow other related articles on the PHP Chinese website!

php JavaScript sql mysql String for include require JS function this database

Statement：

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Previous article：How Can I Prevent SQL Injection in INSERT Statements with Textbox Comments?Next article：How Can I Prevent SQL Injection in INSERT Statements with Textbox Comments?

See more

How Can I Safely Insert JavaScript Strings into SQL Queries in Node.js to Prevent SQL Injection?

Related articles