Improve SQL escaping

This commit is contained in:
calzoneman 2013-06-03 18:37:30 -04:00
parent cfd70cff12
commit 70f2065a36
1 changed files with 31 additions and 10 deletions

View File

@ -40,23 +40,44 @@ function getConnection() {
return db;
}
function sqlEscape(obj) {
if(obj === undefined || obj === null)
return "NULL";
if(typeof obj === "boolean")
return obj ? "true" : "false";
if(typeof obj === "number")
return obj + "";
if(typeof obj === "object")
return "'object'";
if(typeof obj === "string") {
obj = obj.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) {
switch(s) {
case "\0": return "\\0";
case "\n": return "\\n";
case "\r": return "\\r";
case "\b": return "\\b";
case "\t": return "\\t";
case "\x1a": return "\\Z";
default: return "\\" + s;
}
});
return "'" + obj + "'";
}
}
function createQuery(template, args) {
var last = -1;
while(template.indexOf("?", last) >= 0) {
var idx = template.indexOf("?", last);
var arg = args.shift();
if(typeof arg == "string") {
arg = arg.replace(/([\'])/g, "\\$1");
if(idx == 0 || template[idx-1] != "`") {
arg = "'" + arg + "'";
}
}
if(arg === null || arg === undefined) {
arg = "NULL";
}
arg = sqlEscape(arg);
var first = template.substring(0, idx);
template = first + template.substring(idx).replace("?", arg);
last = idx + (arg+"").length;
last = idx + arg.length;
}
return template;
}