Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MongoDB Node JS escaping single quote problems

In my Node js, I have escaped single quote with the below function

var regescape = function(text) {
return text.replace(/[\[\]']+/g, "\\$&"); 
};

This is working fine for me. But suddenly I discovered I have a string M'$ in my database. Which is not returning with my below query.

param 1 = "M'$";

var cursor = db.collection('search').find({"searchcontent.name":new RegExp('^'+regescape(param1))}).limit(10);

Also Please suggest the best practice for handling Node JS parameter pass to MongoDB. I am calling NodeJS from PHP code. And I am sending parameters with rawurlencode() from PHP code. In node js I'm using decodeURI() to the received parameters.

Edit:

My PHP code for calling Node JS:

function getdetail($data1) {
    $p1 = $data1;
    $service_url = 'http://exampleserver:8081/search?param1='.$p1;
    $curl = curl_init($service_url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $curl_response = curl_exec($curl);
        if ($curl_response === false) {
        $info = curl_getinfo($curl);
        curl_close($curl);
        die('error occured.Please try later');
        }
    curl_close($curl);
    $decoded = json_decode($curl_response, true);
    if (isset($decoded->response->status) && $decoded->response->status == 'ERROR') {
        die('error occured.Please try later');
    }
    return $decoded;

}

Node JS code to receive data:

app.get('/search', function (req, res) {
    var param1=decodeURI(req.query.param1);
    MongoClient.connect(url, function(err, db) {
     assert.equal(null, err);
     search(param1,db, function(data){ db.close(); res.end(JSON.stringify(data)); });
   });
});


var search = function(param1,db, callback) {

var cursor = db.collection('search').find({$or:[{"searchcontent.name":new RegExp('^'+regescape(param1))},{"searchcontent.name":new RegExp('^'+regescape(param1.substring(0,4)))}]}).limit(10);

    cursor.toArray(function(err, items) {
    callback(items);
    });

  };

This Node JS code is for search so I used RegEXP(). For other cases I used the below code:

var cursor = db.collection('employees').find({"dep.name":regescape(param1),"mrg.name":regescape(param2)});
like image 868
Arijit Avatar asked Nov 17 '16 23:11

Arijit


1 Answers

The problem is with $ sign. It's a special character and it should be escaped, because normally it means end of input. You have to update regescape function, because it escapes only single quote and square brackets - so you have at least add dollar sign there too.

Also seems like your regescape function does not work as expected in some cases. Try for example to pass this value: test[]'. I think you expect to get test\[\]\', but actually you will get test\[]'

So in order to fix it and add dolar sign - it should be something like this:

var regescape = function(text) {
    return text.replace(/'|\$|\[|\]/g, "\\$&"); 
};

Pipe (|) means or, so it simply escapes any of the symbols from the set. You can easily add more characters there in future.

like image 147
rkm Avatar answered Oct 25 '22 06:10

rkm