0

I have a value: something's. Value also can be a's'a etc. Sometimes value is something | a and so on. It works fine. Trying to insert it in mysql:

mysqlConnection.query('INSERT INTO `something` (`users`,`other`) VALUES (\'' + value + '\',\'' + other + '\')'

It returns syntax error. How can I insert that value with ' symbol in mysql.query?

Improve this question
0

1 Answer 1

Reset to default
1

Concatenating query with values is really bad idea, basically you need just to escape your values properly, but for better security you should look for example on this node-mysql lib with prepared statements, and read something about SQL Injections.

Also related: Preventing SQL injection in Node.js

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

That value is not from user, so there is no difference.
@ArnasA. Ok, if you know set of such possible characters - just escape it with a backslash like described here. Or if you don't know set of possible characters - use node-mysql for this
Can you explain more? Is this right? mysqlConnection.query('INSERT INTO something (users,other) VALUES (\'' + mysqlConnection.escape(value) + '\',\'' + other + '\')'
mysqlConnection.query("INSERT INTO tableName (users, other) VALUES (" + value + "," + other + ")") But values by themselves must be escaped, e.g. each occurrence of ' symbol inside values should be transformed to \', you may write additional function for this, or use it from another special lib.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.