Featured post
sanitize data for SQL with JavaScript -
i have bunch of forms have various input elements. want sanitize these on server side (yes, i'm using server-side javascript) use these inputs parameters, , prevent special characters malformed.
before go, "this belongs not in realm of javascript", etc., etc.
i using multi-million licensed software solution, has javascript apparently has no standard functions out of box. so, whatever using, can assure you have never touched or heard of it. , supports server side javascript, because well, language cool.
my first objective sanitize data before goes in database, , love way example how ruby labels foreign data: tainted. , rather have no tainted data. google , copy paste poor regex here , there, , got sad example. however, have function said "well, takes off 70% of possible stuff data , pretty darn sanitize".
basically string these elements should escaped , assume best practices existing wish of mine.
function sanitize(mystring) { ... ; return mystring }
how can escape symbols '#!? , other special characters , how can them in reverse? aware of javascript escape method, want know if function debugged , public available before re-invent wheel.
i considered: - javascript escape - base64 encoding - regex
i rather ask people have written such functions before.
thanks,
see update below
you're reinventing wheel. whatever you're using talk database should have kind of "prepared statement" concept. in java it's literally preparedstatement
class, database access system should have similar. use these you're not building sql statements strings. instance, conceptually:
preparedstatement = prepare("insert mytable (id, name) values (?, ?)") preparedstatement.setfield(0, theid); preparedstatement.setfield(1, thename);
not:
statement = "insert mytable (id, name) values ('" + theid + "', '" + thename + "')"
...which asking injection attacks.
the "prepared statement" concept centralizes escaping database link layer, well-prepared handle it. if tell people you're using access database, they'll able point @ relevant mechanism. see below.
just avoidance of doubt: you're doing escaping on server, right? mean, that's how read it, you've said "i want sanitize these on server side...". in case thinking of doing client-side: you can't. nothing, absolutely nothing, client-side sends can trusted, can faked. must server-side.
update: you've commented you're using rhino in application server. excellent! preparedstatement
, let jdbc driver handle you. (for non-java lurkers: rhino javascript java vm. it's brilliant.)
- Get link
- X
- Other Apps
Comments
Post a Comment