How do I URl encode something in Node.js?

Asked 1/7, 2011 at 23:9 Answered 8/6, 2022 at 8:38

454

I want to URL encode this:

SELECT name FROM user WHERE uid = me()

Do I have to download a module for this? I already have the request module.

Lange answered 1/7, 2011 at 23:9 Comment(8)

Indeed, this is a slippy road and should be avoided at all costs. – Peking 2/7, 2011 at 0:23

Are you trying to put SQL statement in your url??? be careful of the SQL Injection Attack! It's generally a bad idea to expose SQL to the users, it's really dangerous. – Derm 21/8, 2012 at 16:3

@LightnessRacesinOrbit: looks like an FQL-query. – Tyika 21/9, 2012 at 7:19

@LightnessRacesinOrbit Doesn't Stack Exchange do this? If I understand this, it uses permissions at the DBMS to keep anything bad from happening. – Neve 12/2, 2017 at 16:25

@Demi: No? How would that work. DBMS permissions are not sufficiently fine-grained, even if every single SO user got their own DB account. Tell me where on SO you see SQL queries passed directly? The one exception is data explorer, but that's all read-only views, and it's certainly not put in the URL. – Pily 12/2, 2017 at 16:57

@LightnessRacesinOrbit I was referring to read-only views. – Neve 12/2, 2017 at 17:22

@Demi: The answer's still no – Pily 12/2, 2017 at 17:28

The guy could be building an SQL validation tool, nothing wrong with passing SQL commands in an example like that. Too much focus on not answering the question neither giving good advice (the most upvoted comment doesn't give good advice, only makes fun of the OP) – Mervinmerwin 14/5, 2018 at 19:37

813

You can use JavaScript's encodeURIComponent:

encodeURIComponent('select * from table where i()')

giving

'select%20*%20from%20table%20where%20i()'

Bauhaus answered 1/7, 2011 at 23:12 Comment(2)

To save visitors a search, yes... decodeURIComponent is how you decode the encoded URI. You're welcome. – Scott 2/4, 2019 at 19:41

It helped me query in Bengali language using NodeJS. Thank you! – Minutely 7/11, 2021 at 6:23

151

The built-in module querystring is what you're looking for:

var querystring = require("querystring");
var result = querystring.stringify({query: "SELECT name FROM user WHERE uid = me()"});
console.log(result);
#prints 'query=SELECT%20name%20FROM%20user%20WHERE%20uid%20%3D%20me()'

Antispasmodic answered 2/7, 2011 at 23:56 Comment(3)

in this case we can only pass a map not a string, so if arg is a string then you will see nothing in result. So if you have strings to encode use encodeURIComponent(). – Brokendown 31/7, 2013 at 6:46

This is better for encoding JSON objects and POST-ing them. – Orchestral 20/12, 2015 at 16:53

Not if the string contains ' or " characters – Chlorobenzene 16/9, 2016 at 21:48

Use the escape function of querystring. It generates a URL safe string.

var escaped_str = require('querystring').escape('Photo on 30-11-12 at 8.09 AM #2.jpg');
console.log(escaped_str);
// prints 'Photo%20on%2030-11-12%20at%208.09%20AM%20%232.jpg'

Becki answered 9/2, 2014 at 21:57 Comment(2)

This definitely appears to be the correct function; querystring.stringify() (in Nicolas' answer) seem to return an empty string now. – Euh 13/5, 2016 at 18:18

nodejs.org/api/… says: "The querystring.escape() method is used by querystring.stringify() and is generally not expected to be used directly." – Hygrophilous 18/8, 2017 at 1:24

Note that URI encoding is good for the query part, it's not good for the domain. The domain gets encoded using punycode. You need a library like URI.js to convert between a URI and IRI (Internationalized Resource Identifier).

This is correct if you plan on using the string later as a query string:

> encodeURIComponent("http://examplé.org/rosé?rosé=rosé")
'http%3A%2F%2Fexampl%C3%A9.org%2Fros%C3%A9%3Fros%C3%A9%3Dros%C3%A9'

If you don't want ASCII characters like /, : and ? to be escaped, use encodeURI instead:

> encodeURI("http://examplé.org/rosé?rosé=rosé")
'http://exampl%C3%A9.org/ros%C3%A9?ros%C3%A9=ros%C3%A9'

However, for other use-cases, you might need uri-js instead:

> var URI = require("uri-js");
undefined
> URI.serialize(URI.parse("http://examplé.org/rosé?rosé=rosé"))
'http://xn--exampl-gva.org/ros%C3%A9?ros%C3%A9=ros%C3%A9'

Ortolan answered 11/9, 2015 at 17:26 Comment(2)

I don't understand why xn-- is added in the second example. It will not work as an url or I missed something ? – Abandon 22/6, 2021 at 11:26

Look on second "e" in http://examplé.org it is not ASCII character and should be presented as punnycode. – Riva 11/12, 2021 at 2:56

encodeURIComponent(string) will do it:

encodeURIComponent("Robert'); DROP TABLE Students;--")
//>> "Robert')%3B%20DROP%20TABLE%20Students%3B--"

⚠️ Passing SQL around in a query string might not be a good plan though: see this one

Bitstock answered 19/1, 2018 at 17:34 Comment(1)

We call him little Bobby Tables :-P – Trinitrophenol 14/10, 2022 at 15:22

encodeURI

The encodeURI() method is used to encode a complete URL. This method encodes special characters except ~!$&@#*()=:/,;?+

encodeURIComponent

To encode special characters in URI components, you should use the encodeURIComponent() method. This method is suitable for encoding URL components such as query string parameters and not the complete URL.

Impeach answered 8/6, 2022 at 8:38 Comment(0)

encodeURI

encodeURIComponent

Recommended topics

Hot tags