Prepare query: How to ovoid sql injection

CodeFoodPixels / node-promise-mysql

A wrapper for mysqljs/mysql that wraps function calls with Bluebird promises.

MIT License

338 stars 64 forks source link

Prepare query: How to ovoid sql injection #74

Closed LuisPaGarcia closed 6 years ago

LuisPaGarcia commented 6 years ago

How i can prepare query statements previous the execution.

let entry  = 'value_to_prepare';
mysql.createConnection({
    host: process.env.HOST,
    user: process.env.USER,
    password: process.env.PASSWORD,
    database: process.env.DATABASE
  }).then(function (conn) {
    connection = conn;
    return connection.query(`SELEC * FROM table where field ='${entry}'`);
  }).then(function (rows) {
    callback(null, success({ rows }, 200))
  }).catch((err) => {
    console.log(err);
  });

CodeFoodPixels commented 6 years ago

https://github.com/mysqljs/mysql#escaping-query-values

LuisPaGarcia commented 6 years ago

Great. Thanks a lot!