3

I am using mysql-node: https://github.com/mysqljs/mysql but I am a little confused about default sanitization, Mysql.Escape() vs Mysql.EscapeId() and the use of ? vs ??. The docs says?

Default Sanitization

When you pass an Object to .escape() or .query(), .escapeId() is used to avoid SQL injection in object keys.

I see the term Object, so does that mean I should still escape queries like this?

UPDATE table SET updated_at = userInput WHERE name = userInput.

Mysql.Escape() vs Mysql.EscapeId()
What is the difference between these two functions. The docs says mysql.escape uses mysql.escapeId. I know they both sanitize input but is there a case where you use one or the other?

? vs ??
The docs use ? and ?? interchangeably. Do they mean the same thing?

Shadow
  • 33,525
  • 10
  • 51
  • 64
Yasin Yaqoobi
  • 1,888
  • 3
  • 27
  • 38

2 Answers2

5

The documentation describes what escape() and escapeId() do. Use escape() when you need to escape values. Use escapeId() when you need to escape identifiers (e.g., table, database, or column names).

Edwin Torres
  • 2,774
  • 1
  • 13
  • 15
3

I talked to the maintainer of mysqljs and confirmed that this package doesn't escape queries by default.

When you pass an Object to .escape() or .query(), .escapeId() is used to avoid SQL injection in object keys.

The statement above means queries will be escaped if you use one of the following methods. 

let args = { name: 'myname' otherVals: 'blah blah'}; 
mysql.query('Insert INTO table SET ?',args);

let name = 'test'; 
mysql.query('INSERT INTO table SET name = ?', [name]);

For the second part of the questions: ?? and escapeId is used for identifiers and ? and escape() is used for values.

Yasin Yaqoobi
  • 1,888
  • 3
  • 27
  • 38