NodeJS / MySQL quotes in query data url

Question

Heey all, I have a quick question concerning simple/double quotes in javascript, using NodeJS and MySQL database.. here's my code

app.get('/AddCollection', function (req, res) {
  var queryData = url.parse(req.url , true).query;
    connection.query("INSERT IGNORE INTO collections VALUES ('" +queryData.nom+ "' ,'"  +queryData.categorie+ "','" +queryData.description+ "','" + queryData.urlimage+"')", function (err, result) {
            if (err) throw err;
            res.json("Vous avez ajouté "+queryData.categorie+"et"+queryData.description+"et"+queryData.objet+"a la table");
        }
    );
});

<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>

delete query :

app.get('/DeleteCollection', function (req, res) {
  var queryData = url.parse(req.url , true).query;
    connection.query("DELETE FROM `collections` WHERE `collections`.`nom` ='"+queryData.nom+"'", function (err, result) {
            if (err) throw err;
            res.json("Vous avez ajouté supprimé la collection"+ queryData.nom);
        }
    );
});

Thing is that I already used simple and double quotes for the call. So for example, if queryData.nom or queryData.categorie is equal to the heroes' places then the code won't work as it will confuse the simple quotes.. How do I fix that?

Answer 1

Parameterize your query

connection.query("INSERT IGNORE INTO collections VALUES (?, ?, ?, ?)", [queryData.nom, queryData.categorie, queryData.description, queryData.urlimage], function (err, result) {
        if (err) throw err;
        res.json("Vous avez ajouté "+queryData.categorie+"et"+queryData.description+"et"+queryData.objet+"a la table");
    }
);