File tree 1 file changed +12
-0
lines changed 1 file changed +12
-0
lines changed Original file line number Diff line number Diff line change @@ -759,6 +759,18 @@ connection.query(
759759[ NO_BACKSLASH_ESCAPES] ( https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html#sqlmode_no_backslash_escapes )
760760SQL mode is disabled (which is the default state for MySQL servers).
761761
762+ ** Caution** This library performs client-side escaping, as this is a library
763+ to generate SQL strings on the client side. The syntax for functions like
764+ ` mysql.format ` may look similar to a prepared statement, but it is not
765+ and the escaping rules from this module are used to generate a resulting SQL
766+ string. The purpose of escaping input is to avoid SQL Injection attacks.
767+ In order to support enhanced support like ` SET ` and ` IN ` formatting, this
768+ module will escape based on the shape of the passed in JavaScript value,
769+ and the resulting escaped string may be more than a single value. When
770+ structured user input is provided as the value to escape, care should be taken
771+ to validate the shape of the input to validate the output will be what is
772+ expected.
773+
762774In order to avoid SQL Injection attacks, you should always escape any user
763775provided data before using it inside a SQL query. You can do so using the
764776` mysql.escape() ` , ` connection.escape() ` or ` pool.escape() ` methods:
You can’t perform that action at this time.
0 commit comments