javascript single double quote problem

Question

Hello guys, I have this rather classic problem when interacting with databases of handling single quotes and special characters. In PHP I am escaping the single quote with another single quote and regex syntax characters with preg_quote and they are working as a pro. The problem is with javascript, there are some points in my scripts where I am directly passing the database variables at the runtime into the javascript to build it up and that's where it is breaking up.

Following is an example:

var href = "region_view.php?min_row=1&max_row=25&reg_name=^*&new''region' blah£"&order_by=reg_name asc";

Note the reg_name variable, which is giving me an error in firebug console that invalid assignment left-hand side. First question is, is there any function like eval or something which can take care of these single double quotes by default? Second question is, these type of things are done all along the application. Going back through each javascript line and taking care of single and double quotes will be a hard task to do. Is there something like global which can sort this problem.

My questions may sound stupid but I googled, couldn't find anything, came here in hope if someone can purpose a solution for it.

Thanks,

Answer 1

You should be able to simply escape the quotes:

var quotes = "\"Quoted String\""

Another thing: If I see correctly, you are passing a regular expression through the parameter string. I don't know of any specific exploits, but my gut tells me this is a potential security hole and should be avoided.

Answer 2

Call php function addslashes() on your string.

Answer 3

Never build SQL in JavaScript. Always send the pure values to the server and let it escape them properly and then build the SQL. Otherwise, a hacker or script kiddie will break your site. Note that there are automated scripts floating around the net which search for such vulnerabilities and hack your site with a single mouse click.