How to escape? data that is being inserted into sqlite database.

Question

I'm making an apple app using phone gap (which uses sqlite database).

All my inserts work fine except for when I try to insert a weblink. This errors because there are " characters in the weblink.

Using the following:

var content = 'hello, this is my <a href="www.google.com">link</a>'
tx.executeSql('UPDATE PAGES SET content="'+content+'" WHERE id="1"');

Brings back the following error

error code 1
error: "near "http": syntax error"

If I remove the website address, I don't get an error. I have tried: content = escape(content);

but that hasn't worked.

Answer 1

Use parameter binding. This is the right and the safest way to do what you're trying to do.

tx.executeSql('UPDATE PAGES SET content=? WHERE id=1', [content]);

Answer 2

To escape quotes in SQLite you'll have to repeat the quotes.

So to insert a 7" screen you'll have to put a 7"" screen in the INSERT statement.