admin管理员组

文章数量:1357399

I am using sockets.io to insert user-generated messages into MySQL, but I'm running into issues inserting records with an apostrophe. I've been trying to use the replace() method on the client side script, but the input text is passing with the apostrophe. 

  socket.on('refresh feed',function(msg){
        str=msg.replace("'", "\'");
        alert(str);
    $("#chtxt").append(str + '<br />');
  });

The above attempt will alert any string without the special character, but does not alert when it exist. I believe that I'm actually alerting after the message has been sent to sockets.

So, I tried adapting this code which watches for the enter key press to also watch for the apostrophe, with no luck there either. 

  $('#omnibox').keypress(function (e) {
    var key = e.which;
    if(key == 13)  // the enter key code
    {
      $('input[name = "clicky"]').click();
      return false;  
    }
    if(key == 222)  // the apostrophe key code
    {
            alert('Apostrophe!')
      return false;  
    }
    });

I researched the question of how to replace special characters for MySQL using javascript but found outdated stacks explaining why client-side validation for this is not a good idea.

That's fine. If I shouldn't do this client side, I need to know then how to do it in my server.js node script, then. It is still javascript, so a solution on either side, provided it's secure would be great.

Server-side code:

var add_status = function (status,callback) {
    pool.getConnection(function(err,connection){
        if (err) {
          callback(false);
          return;
        }
    connection.query("INSERT INTO `videosub` (`url`) VALUES ('"+status+"')",function(err,rows){
            connection.release();
            if(!err) {
              callback(true);
            }
        });
     connection.on('error', function(err) {
              callback(false);
              return;
        });
    });
}

Thanks!

I am using sockets.io to insert user-generated messages into MySQL, but I'm running into issues inserting records with an apostrophe. I've been trying to use the replace() method on the client side script, but the input text is passing with the apostrophe. 

  socket.on('refresh feed',function(msg){
        str=msg.replace("'", "\'");
        alert(str);
    $("#chtxt").append(str + '<br />');
  });

The above attempt will alert any string without the special character, but does not alert when it exist. I believe that I'm actually alerting after the message has been sent to sockets.

So, I tried adapting this code which watches for the enter key press to also watch for the apostrophe, with no luck there either. 

  $('#omnibox').keypress(function (e) {
    var key = e.which;
    if(key == 13)  // the enter key code
    {
      $('input[name = "clicky"]').click();
      return false;  
    }
    if(key == 222)  // the apostrophe key code
    {
            alert('Apostrophe!')
      return false;  
    }
    });

I researched the question of how to replace special characters for MySQL using javascript but found outdated stacks explaining why client-side validation for this is not a good idea.

That's fine. If I shouldn't do this client side, I need to know then how to do it in my server.js node script, then. It is still javascript, so a solution on either side, provided it's secure would be great.

Server-side code:

var add_status = function (status,callback) {
    pool.getConnection(function(err,connection){
        if (err) {
          callback(false);
          return;
        }
    connection.query("INSERT INTO `videosub` (`url`) VALUES ('"+status+"')",function(err,rows){
            connection.release();
            if(!err) {
              callback(true);
            }
        });
     connection.on('error', function(err) {
              callback(false);
              return;
        });
    });
}

Thanks!

  • javascript
  • mysql
  • node.js
  • sockets
Share Improve this question edited Apr 9, 2017 at 22:18 Dshiz asked Apr 9, 2017 at 21:41 DshizDshiz 3,3514 gold badges34 silver badges63 bronze badges
Add a ment  | 

1 Answer 1

Reset to default 9

Don't do it

You are asking about the wrong solution to the problem.

To replace the apostrophes with backslash-apostrophes you might use:

str = msg.replace(/'/g, '\\\'');

but you should not do that. I am only providing that info because that's what your question asks about but read below.

Why it's a bad idea

You shouldn't do it on the client side and you shouldn't do in on the server side either. If avoiding SQL injection vulnerabilities was a simple matter of replacing apostrophes with backslash-apostrophes then it wouldn't be an issue. Unfortunately it's more plicated.

Having the info that you provided it's even impossible to tell whether backslash-apostrophe would even do what you expect in the first place without seeing your code that actually makes the database queries. But it doesn't matter because you should never ever do that. Never. See those answers to see why - those questions are not about SQL injections but the code examples included SQL injection vulnerabilities and the answers explain it:

  • cannot use backtick when using nodejs 7.3.0
  • Node js - Promise Rejection Warning when process a lot of data
  • Is it possible to listen for object instantiation in Node.js?

Obligatory ic strip

What you should do instead

That having been said, you didn't tell what module you're using to query the database but no matter if you're using the mysql module or Sequelize or anything worth its salt, there should always be a mechanism of interpolating variables in a safe manner without manually escaping and concatenating the strings.

Examples

You didn't show even a single line of code that is relevant here so I cannot tell you how to fix it but consider this example:

Unsafe:

connection.query(
  "SELECT * FROM player WHERE nick = '"
  + data.login + "' AND pass = '" + data.pass + "'",
  function (err, rows) {
    //...
  }
);

Still unsafe, plex, unreadable, unmaintainable and unreliable:

connection.query(
  "SELECT * FROM player WHERE nick = '"
  + data.login.replace(/'/g, '\\\'') + "' AND pass = '" + data.pass.replace(/'/g, '\\\'') + "'",
  function (err, rows) {
    //...
  }
);

Safe and simple:

connection.query(
  "SELECT * FROM player WHERE nick = ? AND pass = ?", [data.login, data.pass],
  function (err, rows) {
    // ...
  }
);

More info

For more info see the docs:

  • https://www.npmjs./package/mysql
  • http://docs.sequelizejs./en/v3/

本文标签: How to escape mysql special characters with socketsionodejsjavascriptStack Overflow

版权声明:本文标题:How to escape mysql special characters with sockets.ionode.jsjavascript - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743992837a2572462.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。