@@ -16,7 +16,6 @@ $ npm install sqlstring
1616
1717## Usage
1818
19- <!-- eslint-disable no-undef, no-unused-vars -->
2019
2120``` js
2221var SqlString = require (' sqlstring'
@@ -32,8 +31,6 @@ In order to avoid SQL Injection attacks, you should always escape any user
3231provided data before using it inside a SQL query. You can do so using the
3332` SqlString.escape() ` method:
3433
35- <!-- eslint-disable no-undef -->
36-
3734``` js
3835var userId = ' some user provided value'
3936var sql = ' SELECT * FROM users WHERE id = ' + SqlString .escape (userId);
@@ -43,8 +40,6 @@ console.log(sql); // SELECT * FROM users WHERE id = 'some user provided value'
4340Alternatively, you can use ` ? ` characters as placeholders for values you would
4441like to have escaped like this:
4542
46- <!-- eslint-disable no-undef -->
47-
4843``` js
4944var userId = 1 ;
5045var sql = SqlString .format (' SELECT * FROM users WHERE id = ?'
@@ -55,8 +50,6 @@ Multiple placeholders are mapped to values in the same order as passed. For exam
5550in the following query ` foo ` equals ` a ` , ` bar ` equals ` b ` , ` baz ` equals ` c ` , and
5651` id ` will be ` userId ` :
5752
58- <!-- eslint-disable no-undef -->
59-
6053``` js
6154var userId = 1 ;
6255var sql = SqlString .format (' UPDATE users SET foo = ?, bar = ?, baz = ? WHERE id = ?'
@@ -93,8 +86,6 @@ Different value types are escaped differently, here is how:
9386
9487You may have noticed that this escaping allows you to do neat things like this:
9588
96- <!-- eslint-disable no-undef -->
97-
9889``` js
9990var post = {id: 1 , title: ' Hello MySQL'
10091var sql = SqlString .format (' INSERT INTO posts SET ?'
@@ -103,8 +94,6 @@ console.log(sql); // INSERT INTO posts SET `id` = 1, `title` = 'Hello MySQL'
10394
10495And the ` toSqlString ` method allows you to form complex queries with functions:
10596
106- <!-- eslint-disable no-undef -->
107-
10897``` js
10998var CURRENT_TIMESTAMP = { toSqlString : function () { return ' CURRENT_TIMESTAMP()'
11099var sql = SqlString .format (' UPDATE posts SET modified = ? WHERE id = ?' CURRENT_TIMESTAMP , 42 ]);
@@ -118,8 +107,6 @@ placeholder, useful for using functions as dynamic values:
118107** Caution** The string provided to ` SqlString.raw() ` will skip all escaping
119108functions when used, so be careful when passing in unvalidated input.
120109
121- <!-- eslint-disable no-undef -->
122-
123110``` js
124111var CURRENT_TIMESTAMP = SqlString .raw (' CURRENT_TIMESTAMP()'
125112var sql = SqlString .format (' UPDATE posts SET modified = ? WHERE id = ?' CURRENT_TIMESTAMP , 42 ]);
@@ -129,8 +116,6 @@ console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id =
129116If you feel the need to escape queries by yourself, you can also use the escaping
130117function directly:
131118
132- <!-- eslint-disable no-undef -->
133-
134119``` js
135120var sql = ' SELECT * FROM posts WHERE title=' + SqlString .escape (' Hello MySQL'
136121console .log (sql); // SELECT * FROM posts WHERE title='Hello MySQL'
@@ -141,8 +126,6 @@ console.log(sql); // SELECT * FROM posts WHERE title='Hello MySQL'
141126If you can't trust an SQL identifier (database / table / column name) because it is
142127provided by a user, you should escape it with ` SqlString.escapeId(identifier) ` like this:
143128
144- <!-- eslint-disable no-undef -->
145-
146129``` js
147130var sorter = ' date'
148131var sql = ' SELECT * FROM posts ORDER BY ' + SqlString .escapeId (sorter);
@@ -151,8 +134,6 @@ console.log(sql); // SELECT * FROM posts ORDER BY `date`
151134
152135It also supports adding qualified identifiers. It will escape both parts.
153136
154- <!-- eslint-disable no-undef -->
155-
156137``` js
157138var sorter = ' date'
158139var sql = ' SELECT * FROM posts ORDER BY ' + SqlString .escapeId (' posts.' + sorter);
@@ -162,8 +143,6 @@ console.log(sql); // SELECT * FROM posts ORDER BY `posts`.`date`
162143If you do not want to treat ` . ` as qualified identifiers, you can set the second
163144argument to ` true ` in order to keep the string as a literal identifier:
164145
165- <!-- eslint-disable no-undef -->
166-
167146``` js
168147var sorter = ' date.2'
169148var sql = ' SELECT * FROM posts ORDER BY ' + SqlString .escapeId (sorter, true );
@@ -173,8 +152,6 @@ console.log(sql); // SELECT * FROM posts ORDER BY `date.2`
173152Alternatively, you can use ` ?? ` characters as placeholders for identifiers you would
174153like to have escaped like this:
175154
176- <!-- eslint-disable no-undef -->
177-
178155``` js
179156var userId = 1 ;
180157var columns = [' username' ' email'
@@ -190,8 +167,6 @@ When you pass an Object to `.escape()` or `.format()`, `.escapeId()` is used to
190167You can use ` SqlString.format ` to prepare a query with multiple insertion points,
191168utilizing the proper escaping for ids and values. A simple example of this follows:
192169
193- <!-- eslint-disable no-undef -->
194-
195170``` js
196171var userId = 1 ;
197172var inserts = [' users' ' id'
@@ -208,8 +183,6 @@ location-specific/timezone-aware `Date`.
208183This can be further combined with the ` SqlString.raw() ` helper to generate SQL
209184that includes MySQL functions as dynamic vales:
210185
211- <!-- eslint-disable no-undef -->
212-
213186``` js
214187var userId = 1 ;
215188var data = { email: ' foobar@example.com' : SqlString .raw (' NOW()'
0 commit comments