search

mysqljs / sqlstring

Simple SQL escape and format for MySQL
MIT License
403 stars 78 forks source link

How to use a literal `?` in a formatted query? #63

Closed JonathanHolvey closed 3 years ago

JonathanHolvey commented 3 years ago

If I use the format function on a query that contains a literal ? this gets replaced, as per the documentation. How can I escape the ? character so it doesn't get replaced?

const { format }  = require('sqlstring')

format(`select * from mytable where foo = 'https://example.com?a=b' and bar = ?`, ['xyz'])

The resulting output from this would be 

select * from mytable where foo = 'https://example.com'xyz'a=b' and bar = ?

whereas I want

select * from mytable where foo = 'https://example.com?a=b' and bar = 'xyz'
dougwilson commented 3 years ago

You need to just put it as an argument. The ? Syntax is a copy from mysql placeholder syntax, which also has no way to escape it. Example:

const { format }  = require('sqlstring')

format(`select * from mytable where foo = ? and bar = ?`, ['https://example.com?a=b', 'xyz'])