0

I have a value: something's. Value also can be a's'a etc. Sometimes value is something | a and so on. It works fine. Trying to insert it in mysql:

mysqlConnection.query('INSERT INTO `something` (`users`,`other`) VALUES (\'' + value + '\',\'' + other + '\')'

It returns syntax error. How can I insert that value with ' symbol in mysql.query?

Arnas A.
  • 61
  • 1
  • 7

1 Answers1

1

Concatenating query with values is really bad idea, basically you need just to escape your values properly, but for better security you should look for example on this node-mysql lib with prepared statements, and read something about SQL Injections.

Also related: Preventing SQL injection in Node.js

Ibraim Ganiev
  • 8,934
  • 3
  • 33
  • 52
  • That value is not from user, so there is no difference. – Arnas A. Sep 27 '15 at 19:06
  • @ArnasA. Ok, if you know set of such possible characters - just escape it with a backslash like described [here](http://stackoverflow.com/a/881208/1030820). Or if you don't know set of possible characters - use [node-mysql](https://github.com/felixge/node-mysql#escaping-query-values) for this – Ibraim Ganiev Sep 27 '15 at 19:11
  • Can you explain more? Is this right? mysqlConnection.query('INSERT INTO something (users,other) VALUES (\'' + mysqlConnection.escape(value) + '\',\'' + other + '\')' – Arnas A. Sep 27 '15 at 19:20
  • `mysqlConnection.query("INSERT INTO tableName (users, other) VALUES (" + value + "," + other + ")")` But values by themselves must be escaped, e.g. each occurrence of `'` symbol inside values should be transformed to `\'`, you may write additional function for this, or use it from another special lib. – Ibraim Ganiev Sep 27 '15 at 19:42