How do I escape form input values, C style?

[Ivan Marsh]

Hey Folks,

How do I go about escaping values entered into a form so they can be
dumped into a database?

For the record, I have no idea how the functions I'm using to write to the
database work because it's a proprietary product that I have to use, and
"they" don't release any documentation about how their internals work. I
just need to be able to prepare the string before it's passed to their
function.

For example, the classic last name = O'Maley... and I can't use escape(),
I need it to come out O\'Maley.

A single quote isn't the only thing I'm concerned with but it's a start,
and solves my immediate problem.

Is there an all powerful function that escapes all special
(non-alphanumeric) characters or do I need some fancy regex?

Any help is, as always, appreciated.

 

[Fred Oz]

Hey Folks,

How do I go about escaping values entered into a form so they can be
dumped into a database?

Values entered into forms are 'escaped' automatically by the browser
before submission to the server. O'Malley will appear in the URI sent
to the server as:

O%27Malley

Of course, if you are talking about un-escaping at the server, that
has nothing to do with client-side JavaScript.

[...]

 

[Ivan Marsh]

Values entered into forms are 'escaped' automatically by the browser
before submission to the server. O'Malley will appear in the URI sent
to the server as:

O%27Malley

Of course, if you are talking about un-escaping at the server, that
has nothing to do with client-side JavaScript.

I guess I should include an example... this data is being grabbed and
written run-time, and I don't think a "true" form submission is being
performed.

Here's some pseudo-code:

<script type="text/javascript">

query_string = "UPDATE mytable SET myfield = '" +
ProprietaryFieldGrab("Last_Name") + "' WHERE otherfield = '" +
ProprietaryFieldGrab("Phonenum") + "';";

ProprietaryDatabaseWrite(query_string, databasename);

</script>

Last_Name and Phonenum are fields in the form.

I need to do a C-like escape in query_string whenever
ProprietaryFieldGrab() is called.

Oh... and the proprietary functions are not in my control or editable by
me.

Any takers?

 

[fox]

I guess I should include an example... this data is being grabbed and
written run-time, and I don't think a "true" form submission is being
performed.

Here's some pseudo-code:

<script type="text/javascript">

query_string = "UPDATE mytable SET myfield = '" +
ProprietaryFieldGrab("Last_Name") + "' WHERE otherfield = '" +
ProprietaryFieldGrab("Phonenum") + "';";

ProprietaryDatabaseWrite(query_string, databasename);

</script>

Last_Name and Phonenum are fields in the form.

I need to do a C-like escape in query_string whenever
ProprietaryFieldGrab() is called.

Oh... and the proprietary functions are not in my control or editable by
me.

Any takers?

query.replace(/([\'\"])/g,"\\$1"); ?