sanitize data for SQL with JavaScript

Question

I have a bunch of forms that have various input elements. I want to sanitize these on the server side (yes, I'm using server-side JavaScript) to use these inputs as parameters, and prevent special characters to be malformed.

Before you go, like "this belongs not in the realm of JavaScript", etc., etc.

I am using a multi-million licensed software solution, that well has JavaScript but apparently has no standard functions like this out of the box. So, whatever I am using, I can assure you that you probably have never touched it or heard of it. And it supports server side javascript, because well, the language is cool.

My first objective is to sanitize data before it goes in the database, and I just love the way for example how Ruby labels foreign data: tainted. And I rather have no tainted data. So I could google and copy paste some poor regex from here and there, and I got some sad example. However, I would like to have a function that would be said "well, that takes off 70% of the possible stuff from that data and a pretty darn good sanitize".

Basically a string from these elements should be escaped and I assume best practices are already existing for this wish of mine.

function sanitize(myString) { ... ; return myString }

How can I escape symbols like '#!? and other special characters and how i can i get them back in reverse? I am aware of the JavaScript escape method, but I want to know if a function is already debugged and public available before I re-invent the wheel.

I considered: - JavaScript Escape - Base64 Encoding - Regex

I just rather ask the people who have written such functions before.

Thanks,

Answer 1

See update below

You're reinventing the wheel. Whatever you're using to talk to your database should have some kind of "prepared statement" concept. In Java it's literally the PreparedStatement class, but essentially any database access system should have something similar. You use these so that you're not building up SQL statements as strings. So for instance, conceptually:

preparedStatement = prepare("insert into mytable (id, name) values (?, ?)")
preparedStatement.setField(0, theId);
preparedStatement.setField(1, theName);

Not:

statement = "insert into mytable (id, name) values ('" + theId + "', '" + theName + "')"

...which is asking for injection attacks.

The "prepared statement" concept centralizes escaping to the database link layer, which is well-prepared to handle it. If you tell people what you're using to access your database, they'll be able to point you at the relevant mechanism. See below.

Just for the avoidance of doubt: You're doing this escaping on the server, right? I mean, that's how I read it, you've actually said "I want to sanitize these on the server side...". But just in case you were thinking of doing it client-side: You can't. Nothing, absolutely nothing, that the client-side sends you can be trusted, as it can be faked. You must do this server-side.

---

Update: You've commented that you're using Rhino in an application server. Excellent! Then just PreparedStatement and let your JDBC driver handle it for you. (For non-Java lurkers: Rhino is JavaScript for the Java VM. It's brilliant.)