Reputation: 59
Unable to escape single quote
I am trying to figure out a way to escape single quotes in my "pre-built" SQL query that I send to a generic functions (all my queries use it).
I tried the escape npm plugin, doing it manually, etc.
Here's the bit of code where I build my query and when I input for example "it's", well the dataString bugs out because of the special character:
exports.addEntry = (req, res, nomPage, nomTable, data) => {
Object.keys(data).forEach(function (k, id) {
console.log(data[k]);
if (data[k] != null) {
if (id > 0) {
columnString += `,`;
dataString += `,`;
}
columnString += `${[k]}`;
dataString += `'${data[k]}'`;
}
});
try {
if (!data) throw new Error("Input not valid");
if (data) {
var sqlQuery = `INSERT INTO ${nomTable} (${columnString}) VALUES (${dataString})`;
connect.connectDatabase(sqlQuery, (data, err) => {
[...]
The generic function I was talking about earlier is this:
var sql = require("mssql");
var config = require("../settings").config;
exports.connectDatabase = function (rawQuery, callback) {
var conn = new sql.ConnectionPool(config);
conn
.connect()
.then(function () {
var req = new sql.Request(conn);
req
.query(rawQuery)
.then(function (recordset) {
callback(recordset.recordset);
})
My plan is having the queries to use only one function, not many functions that does pretty much the same thing.
Help would be greatly appreciated.
Upvotes: 0
Views: 1779
Answers (2)
Reputation: 41
A few ways to do this : 1 - replacing the colons for square brackets which will create an array of string values then you just have to worry about sorting thru the array length, this will increase your processing time but if your app is not too big it should not make a big difference.
2 - Use \' to escape single quotes in strings or \" to escape double quotes.
Let me know if that helped as this is a quick answer.
Upvotes: 0
Reputation: 12607
The way you are building up this query is exactly what you don't want to do. It leaves you completely open to SQL injection.
To avoid this, you need to parameterize your query. The added benefit here it will take care of all escaping.
Here is an example, straight from the MS docs, demonstrating how to perform parameterized queries with the node.js driver for SQL Server.
Your code, following this paradigm will look something like:
exports.addEntry = (req, res, nomPage, nomTable, data) => {
Object.keys(data).forEach(function (k, id) {
console.log(data[k]);
if (data[k] != null) {
if (id > 0) {
columnString += `,`;
dataString += `,`;
}
columnString += `${[k]}`;
dataString += `@${data[k]}`;
}
});
try {
if (!data) throw new Error("Input not valid");
if (data) {
var sqlQuery = `INSERT INTO ${nomTable} (${columnString}) VALUES (${dataString})`;
connect.connectDatabase(sqlQuery, (data, err) => {
[...]
All that changed was the operating constructing the dataString.
Note, you'll now need to feed parameters into your command execution to replace the data you were embedding before.
Upvotes: 1
Related Questions
- Making a javascript string sql friendly
- How to escape a whole sql string instead of escaping each argument?
- use quotes in sql query node.js
- NodeJS: Sanitize quotes in string for mssql
- how to replace all the single quotes to \' for a mysql query
- Escaping single quotes in MSSQL
- How do I properly escape the single quote in node-postgres queries?
- How to fix 'Unclosed quotation mark after the character string \')\'.' error
- Nodejs Mysql: Query-Escaping adds single quotes
- mysql escaping string node js`