Why mysql.escape will parse 'hello' to '\'hello\''

Asked Jul 28 '17 at 11:50

Active Oct 18 '18 at 03:32

Viewed 59 times

I will escape the parameter at first and then concat the sql string when querying. So when I concat query strings using like:

const name = mysql.escape(req.info.name)
const sqlString = `select...name like '%${name}%'`

It will lead to select ... where name like '%'hello'%', but what I want is select ... where name like '%hello%'

edited Oct 18 '18 at 03:32

Cœur

asked Jul 28 '17 at 11:50

Aflext

First check what ``xss(`hello`)`` gives you. Chances are, you don't need `xss` here, because you're not using the value in an HTML context, you're using it in MySQL. That being said, do you not have access to parameterised queries? – Niet the Dark Absol Jul 28 '17 at 11:54
@NiettheDarkAbsol My project needs both query and save sql stirng, i just wrote a filter function to parse all the parameter in every requests,so the filter function needs process xss and sql injection. – Aflext Jul 28 '17 at 12:00
Then you're doing it wrong. XSS prevention should be the final step before outputting to the visitor's browser. It should not be done pre-emptively. – Niet the Dark Absol Jul 28 '17 at 12:01
https://stackoverflow.com/questions/17922587/node-mysql-escape-like-statement – robertklep Jul 28 '17 at 12:21
You shouldn't need to use `mysql.escape` but in this case you would do `mysql.escape('%${name}%')` – Explosion Pills Jul 28 '17 at 13:11

0 Answers0