How to make a string safe for a Webkit Javascript Database

Question

I am writing a Webkit app that imports data from an RSS feed and stores it in a Javascript Database. Since the data is coming from an external source I want to make sure the strings have been made safe before inserting it into the database. For example in PHP I would use "mysql_real_escape_string" function which escapes quotes and other characters.

Ideally I want to keep away from native functions so that this app can be deployed across multiple phone platforms (iPhone,Blackberry,Android) using WebKit.

Link to equivalent PHP function: http://php.net/manual/en/function.mysql-real-escape-string.php

Link to javascript database documentation: https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/SafariJSDatabaseGuide/UsingtheJavascriptDatabase/UsingtheJavascriptDatabase.html

Example code:

Currently it is:

mydb.transaction(
    function(transaction) {
        transaction.executeSql("INSERT INTO rss (url,title) VALUES (?,?);",["www.some-rss-feed.com","a title containing a' quote"], successFunction, errorFunction);
    }
);

Ideally it should be something like the following where "a_safe_function" is the name of the function that makes the string safe for the database.

mydb.transaction(
    function(transaction) {
        transaction.executeSql("INSERT INTO rss (url,title) VALUES (?,?);",[a_safe_function("www.some-rss-feed.com"),a_safe_function("a title containing a' quote")], successFunction, errorFunction);
    }
);

Libraries I'm using:

• iPhoneGap
• JQueryMobile
• JQuery

Answer 1

You don't have to do any escaping when passing query and arguments separately.

Merging query and parameters is an ugly thing which is done mainly for PHP+MySQL as PHP had no proper way to pass query and parameters separately before PDO - and even nowadays many people are not using PDO but rather escaping their values (or forgetting it ;x) and building SQL strings synamically :/