tags:

views:

810

answers:

4
Q: 

Single quotes in string with jQuery ajax

I have run into a problem where the user enters data and if there are single quotes at all, the script errors out.

What's the best way to handle single quotes that users enter so it doesn't interfere with the jquery/javascript?

UPDATE:

I'm sending it through ajax to a database. here is the data parameter for a json ajax call.
data: "{str_" + sectionName + " :'" + UpdateText + "',EntityID: '" + EntityID + "' }",
with update text being the string that can contain the quotes.

+5  A: 

You need to escape the quotes with a \ or depending on how you plan to use the string you can use the javascript escape and unescape functions.

alert(escape("mike's"));
alert(unescape(escape("mike's")));

Also check this out for ways to escape strings with jQuery

mbrevoort  2009-12-04 05:02:14
+1  A: 

You could find one of the many String.replaceAll implementations or write your own, and just replace any single or double quotes with an escaped version like \" or \'.

Jonathon  2009-12-04 05:05:03
A: 

You should really sanitize your input inside your server-side script for a variety of reasons. If you're just displaying everything the user enters then your application can likely be used to launch a cross-site scripting attack.

Cfreak  2009-12-04 05:05:17
relevant xkcd http://xkcd.com/327/
thenoviceoof  2009-12-04 05:06:25
I think his issue is that he's getting a javascript error, client-side, while trying to send data to the server.
Jonathon  2009-12-04 05:06:41
A: 

Javascript has a built in method just for this that covers more than just single quotes. Its called encodeURIComponent, from Javascript Kit:

Used to encode the parameter portion of a URI for characters that have special meaning, to separate them from reserved characters such as "&" that act as key/value separators. More inclusive than encodeURI(), it encodes all characters with special meaning in a URL string, including "=" and "&". Use this method only on the parameter portion of a URI; otherwise, the URI may no longer be valid if it contains one of the characters that are part of a valid URI (ie: "+") yet should be escaped if part of the URI parameter.

So your code should become:

data: "{str_" + encodeURIComponent(sectionName) + " :'" + encodeURIComponent(UpdateText) + "',EntityID: '" + encodeURIComponent(EntityID) + "' }",

I encode everything I send in a query string to be safe, but encoding the EntityID could arguably be skipped because it doesn't come from the user(I'm assuming), so you know it won't have special characters.

Tilendor  2010-03-03 17:28:29

related questions

Does anyone have a good Proper Case algorithm
Converting bool to text in C++
Does PHP have an equivalent to this type of Python string substitution?
PHP ToString() equivalent
What's the difference between a string constant and a string literal?
What would be the fastest way to remove Newlines from a String in C#?
Why is String.Format static?
PowerShell - How do I pass string parameters correctly?
What's the best string concatenation method using C#?
Java: Best way of converting List<Integer> to List<String>
C# String output: format or concat?
Parse usable Street Address, City, State, Zip from a string
C# Save Dialogs
How do I Convert a string to an enum in C#?
PowerShell - how do I do a string replacement in a function?
Case insensitive string comparison in C++
Why doesn't Ruby have a real StringBuffer or StringIO?
Checking for string contents? string Length Vs Empty String
Remove Quotes and Commas from a String in MySQL
Test serialization encoding
In C# what is the difference between String and string
String.indexOf function in C
What is the best way to parse strings in Java
Format string to title case
Generate list of all possible permutations of a string