sqlstring.escape() wraps input with double quotes, mysql driver throwing ER_PARSE_ERROR when queried.

dxataclub commented 3 years ago

I'm using sqlstring.escape() to escape unpredicted input, this function wraps the input with quotes '' which is causing node mysql driver to throw ER_PARSE_ERROR.

mysql server version: 8.0.23-0ubuntu0.20.04.1 sqlstring version: 2.3.2

Here is a code example:

let sqlstring = require("sqlstring")

let query = "CREATE DATABASE IF NOT EXISTS ?;"
let input = "my_new_db"

query = sqlstring.format(query, input) // turns into "CREATE DATABASE IF NOT EXISTS 'my_new_db';"
sqldriver.query(query) // Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''my_new_db'' at line 1

Thank you.

dougwilson commented 3 years ago

Hi @templar-git a single ? is for a value, but a double ?? is for an identifier. You should be using ?? for that position. You can read more about how this module works here: https://github.com/mysqljs/sqlstring#escaping-query-identifiers

dxataclub commented 3 years ago

Thank you @dougwilson

mysqljs / sqlstring

sqlstring.escape() wraps input with double quotes, mysql driver throwing ER_PARSE_ERROR when queried. #61