Skip to content

sqlstring.escape() wraps input with double quotes, mysql driver throwing ER_PARSE_ERROR when queried. #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dxataclub opened this issue Apr 2, 2021 · 2 comments
Closed

sqlstring.escape() wraps input with double quotes, mysql driver throwing ER_PARSE_ERROR when queried. #61

dxataclub opened this issue Apr 2, 2021 · 2 comments
Labels
question

Comments

@dxataclub
Copy link

I'm using sqlstring.escape() to escape unpredicted input, this function wraps the input with quotes '' which is causing node mysql driver to throw ER_PARSE_ERROR.

mysql server version: 8.0.23-0ubuntu0.20.04.1
sqlstring version: 2.3.2

Here is a code example:

let sqlstring = require("sqlstring")

let query = "CREATE DATABASE IF NOT EXISTS ?;"
let input = "my_new_db"

query = sqlstring.format(query, input) // turns into "CREATE DATABASE IF NOT EXISTS 'my_new_db';"
sqldriver.query(query) // Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''my_new_db'' at line 1

Thank you.
@dougwilson
Copy link
Member

Hi @templar-git a single ? is for a value, but a double ?? is for an identifier. You should be using ?? for that position. You can read more about how this module works here: https://github.com/mysqljs/sqlstring#escaping-query-identifiers

@dxataclub
Copy link
Author

Thank you @dougwilson

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougwilson @dxataclub