0

I have gone through a variety of questions that have been asked with the same thing in mind but it doesn't seem to be working for me.

I have a HTML textarea from which I collect the comments of a user and I'm storing them in a MySql database. So I want the special characters that are entered by the users to also be accepted without any error/exception and store them in the database as well.

I came across a solution for the newline character and I added this line of code which works well.

var comment = document.getElementById("commentArea").value;
comment = comment.replace(/\n/g, '<br />');

The other characters like &$%#( are all getting inserted without any problem except for quotes. I'm not sure what should I do to escape them. I tried comment.replace("\'","&39") for escaping single quotes but that doesn't seem to work.

How can I escape both single and double quotes? Thanks in advance.

EDIT: I'm using Jsp and Servlets for my application. Should I escape these characters in the servlet then?

Let me know the reason before downvoting.

Update: As suggested in the answers and comments, I used a prepared statement and passed the string using the setString() method. However, the problem still persists.

The code snippet I've used is:

String query = "insert into db_name (column1,column2,column3,column4) values("SomeValue1","SomeValue2",?,"SomeValue3")";
st=conn.prepareStatement(query);
st.setString(1,"String_from_TextArea");
int rows = st.executeUpdate();
Improve this question
6
  • 1
    What driver you use? NodeJs, PHP? You must escape the value on the server side(not the client side). Commented Dec 5, 2013 at 7:18
  • Forget about doing this on the client side. Within the server-side code you need to use mysqli_real_escape_string before writting the comment to the database. Commented Dec 5, 2013 at 7:18
  • This really should be done on the server-side, rather than the client side. For instance, if you are using PHP, then you can escape the string using PHP's addslashes: cl1.php.net/addslashes If this is not an option, why must it be done by the client? Commented Dec 5, 2013 at 7:18
  • 2
    Don't MySQL escape in Javascript on the client! You need to escape on the server while you are creating your queries, no sooner, no later! Read kunststube.net/escapism. Commented Dec 5, 2013 at 7:18
  • 1
    So I escape them in the Servlet? Commented Dec 5, 2013 at 7:23

2 Answers 2

Reset to default
3

There is no need to escape anything in JavaScript, you'll not insert it directly but via some kind of server-side script (like PHP). That's place to perform such tasks. Especially that you can never trust anything that is done using JavaScript. User can modify it easily or even disable JavaScript. That shouldn't brake your site or database!

On server-side you can use prepared statements to safely insert data to database.

Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

So I escape them in the Servlet? Using the replace() method?
@AnjanBaradwaj No, don't use something that is not create for escaping. I don't know what server-side language you are using so I can't tell you what it will be exactly but probably there is some dedicated functions for that.
@AnjanBaradwaj Didn't see last edit. You should use Hibernate Query object with parameters and set* methods on it (if you use Hibernate to contact with database).
@AnjanBaradwaj Don't escape for "storing in a database" - do escape when using in output (e.g. HTML). Java/JDBC/Hibernate/etc support placeholders just fine.
@ElonThan with technologies such as Node.js around, especially considering this question wasn't tagged php and was asked since Node.js has been around, stating that one should never escape characters for storage into a database via javascript, and the other points you've made regarding javascript aren't exactly true: one cannot disable server-side javascript from their computer browser - nor can a client modify server-side javascript. However, when tools such as prepared statements exist, even when using Node.js, escaping is indeed less predictable and recommended against.
|
0

If you want to URI encode the string, you can use encodeURIComponent() and decodeURIComponent() functions. This is a link to the documentation page of the function.

http://www.w3schools.com/jsref/jsref_encodeuricomponent.asp

Hope that helps.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.