connection.escape method is not present in the connection object

CodeFoodPixels / node-promise-mysql

A wrapper for mysqljs/mysql that wraps function calls with Bluebird promises.

MIT License

338 stars 63 forks source link

connection.escape method is not present in the connection object #5

Closed gajus closed 9 years ago

gajus commented 9 years ago

In order to avoid SQL Injection attacks, you should always escape any user provided data before using it inside a SQL query. You can do so using the mysql.escape(), connection.escape() or pool.escape() methods

– https://www.npmjs.com/package/mysql#escaping-query-values

Quick fix until this is resolved in the main package:

db = mysql.createConnection(config);
db.escape = mysql.escape;

CodeFoodPixels commented 9 years ago

It's exposed on a specific connection object (https://github.com/lukeb-uk/node-promise-mysql/blob/master/lib/connection.js#L97), but I'll look at linking it up in the main package.

gajus commented 9 years ago

ah, this has go to do with https://github.com/lukeb-uk/node-promise-mysql/issues/3 and how I use db.query:

var db = mysql.createConnection(config);

db.query = function (sql, values) {
    return db.then(function (connection) {
        return connection.query(sql, values);
    });
};

In that case it is not relevant to the entire package.

CodeFoodPixels commented 9 years ago

I've actually submitted a pull request to your web-proxy project so that promise-mysql can be used as intended: https://github.com/gajus/web-proxy/pull/1