I have a value: something's. Value also can be a's'a etc. Sometimes value is something | a and so on. It works fine. Trying to insert it in mysql:
mysqlConnection.query('INSERT INTO `something` (`users`,`other`) VALUES (\'' + value + '\',\'' + other + '\')'
It returns syntax error. How can I insert that value with ' symbol in mysql.query?
Concatenating query with values is really bad idea, basically you need just to escape your values properly, but for better security you should look for example on this node-mysql
lib with prepared statements, and read something about SQL Injections.
Also related: Preventing SQL injection in Node.js
No comments:
Post a Comment