-1

When I insert a word that has apostrophes in the HTML input I get this error

Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near

For example: inserting word without apostrophes like "Hello world" works succesfully and I can see the row in the MySQL table. But, when I insert words like "that's" then I get the error.

I use varchar for the value row. 

connection.query("IN­SERT INTO masstoadmin (`title`,`contact`,`­theuser`,`ptime`,`to­user`,`mass_stat`) VALUES ('"+title+"','"+cont­act+"','"+theuser+"'­,'"+ptime+"','"+tuse­r+"','"+nmasso+"')")­;
Veve
  • 6,643
  • 5
  • 39
  • 58
dark night
  • 171
  • 4
  • 19
  • 1
    Learn about SQL injection and [how to escape values](https://github.com/mysqljs/mysql#escaping-query-values). – robertklep Aug 09 '17 at 12:48
  • @robertklep i tried to use connection.escapeId and i still get the error – dark night Aug 09 '17 at 15:10
  • Possible duplicate of [INSERT INTO fails with node-mysql](https://stackoverflow.com/questions/21779528/insert-into-fails-with-node-mysql) – Veve Aug 09 '17 at 15:32

1 Answers1

2

You should use placeholders, which also prevent SQL injections by properly escaping the values that you're passing into the query:

connection.query("INSERT INTO masstoadmin (`title`,`contact`,`theuser`,`ptime`,`touser`,`mass_stat`) VALUES (?, ?, ?, ?, ?, ?)", [ title, contact, theuser, ptime, tuser, nmasso ], ...)
robertklep
  • 198,204
  • 35
  • 394
  • 381
  • i get this error connection.query("IN­­­SERT INTO masstoadmin (`title`,`contact`,`­­theuser`,`ptime`,`t­o­­user`,`mass_stat`­) VALUES (?,?,?,?,?,?)", [ title,contact,theuse­r,ptime,tuse­r,nmass­o]); ^ SyntaxError: Invalid or unexpected token – dark night Aug 09 '17 at 15:56
  • @darknight see edit. For some reason, your code contained soft hyphens that were breaking the code. I removed them. – robertklep Aug 09 '17 at 16:00
  • i get this error Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'IN­SERT INTO masstoadmin (`title`,`contact`,`theuser`,`ptime`,`to­user`,`mass_' at line 1 – dark night Aug 09 '17 at 16:11
  • @darknight there were more junk characters in the code you posted, try again. – robertklep Aug 09 '17 at 16:13