MongoDB Node JS escaping single quote problems

Question

In my Node js, I have escaped single quote with the below function

var regescape = function(text) {
return text.replace(/[\[\]']+/g, "\\$&"); 
};

This is working fine for me. But suddenly I discovered I have a string M'$ in my database. Which is not returning with my below query.

param 1 = "M'$";

var cursor = db.collection('search').find({"searchcontent.name":new RegExp('^'+regescape(param1))}).limit(10);

Also Please suggest the best practice for handling Node JS parameter pass to MongoDB. I am calling NodeJS from PHP code. And I am sending parameters with rawurlencode() from PHP code. In node js I'm using decodeURI() to the received parameters.

Edit:

My PHP code for calling Node JS:

function getdetail($data1) {
    $p1 = $data1;
    $service_url = 'http://exampleserver:8081/search?param1='.$p1;
    $curl = curl_init($service_url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $curl_response = curl_exec($curl);
        if ($curl_response === false) {
        $info = curl_getinfo($curl);
        curl_close($curl);
        die('error occured.Please try later');
        }
    curl_close($curl);
    $decoded = json_decode($curl_response, true);
    if (isset($decoded->response->status) && $decoded->response->status == 'ERROR') {
        die('error occured.Please try later');
    }
    return $decoded;

}

Node JS code to receive data:

app.get('/search', function (req, res) {
    var param1=decodeURI(req.query.param1);
    MongoClient.connect(url, function(err, db) {
     assert.equal(null, err);
     search(param1,db, function(data){ db.close(); res.end(JSON.stringify(data)); });
   });
});


var search = function(param1,db, callback) {

var cursor = db.collection('search').find({$or:[{"searchcontent.name":new RegExp('^'+regescape(param1))},{"searchcontent.name":new RegExp('^'+regescape(param1.substring(0,4)))}]}).limit(10);

    cursor.toArray(function(err, items) {
    callback(items);
    });

  };

This Node JS code is for search so I used RegEXP(). For other cases I used the below code:

var cursor = db.collection('employees').find({"dep.name":regescape(param1),"mrg.name":regescape(param2)});

Answer 1

The problem is with $ sign. It's a special character and it should be escaped, because normally it means end of input. You have to update regescape function, because it escapes only single quote and square brackets - so you have at least add dollar sign there too.

Also seems like your regescape function does not work as expected in some cases. Try for example to pass this value: test[]'. I think you expect to get test\[\]\', but actually you will get test\[]'

So in order to fix it and add dolar sign - it should be something like this:

var regescape = function(text) {
    return text.replace(/'|\$|\[|\]/g, "\\$&"); 
};

Pipe (|) means or, so it simply escapes any of the symbols from the set. You can easily add more characters there in future.