Generated on Apr 24, 2024 via pnpm

Npm

Home

sqlstring 2.3.3

Simple SQL escape and format for MySQL

sqlstring

sql

escape

sql escape

Package summary

issues

license

Package created

25 Feb 2014

Version published

6 Mar 2022

Maintainers

Total deps

Direct deps

License

MIT

Issues

Licenses

MIT License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

Cannot

hold-liable

Must

include-copyright

include-license

1 Packages, Including:

sqlstring@2.3.3

Direct Dependencies

All Dependencies CSV

ⓘ This is a list of sqlstring 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.

Name	Version	Size	License	Type	Vulnerabilities

Tree

Treemap

Frequently Asked Questions

What does sqlstring do?

SqlString is a robust npm package that enables simple SQL escape and formatting geared towards MySQL. It offers an invaluable defense line against SQL Injection attacks by providing methods to safely escape any user-supplied data before it's used in a SQL query. Furthermore, SqlString can format your queries with multiple insertion points while correctly handling the escaping for identifiers and values.

How do you use sqlstring?

To use SqlString, you first need to install the package using npm with the command npm install sqlstring. Then, you can import the package into your JavaScript code via var SqlString = require('sqlstring');.

To escape query values, you can utilize the SqlString.escape() method this way:

var userId = 'user input';
var sql = 'SELECT * FROM users WHERE id = ' + SqlString.escape(userId);
console.log(sql); // Outputs: SELECT * FROM users WHERE id = 'user input'

SqlString also supports the usage of ? as placeholders for values that you want to have escaped:

var userId = 1;
var sql = SqlString.format('SELECT * FROM users WHERE id = ?', [userId]);
console.log(sql); // Outputs: SELECT * FROM users WHERE id = 1

You can even use SqlString.raw() to form SQL queries with functions:

var CURRENT_TIMESTAMP = SqlString.raw('CURRENT_TIMESTAMP()');
var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]);
console.log(sql); // Outputs: UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42

Escaping query identifiers can be done with SqlString.escapeId(identifier), and you can also use ?? as placeholders for identifiers you need to have escaped.

The SqlString.format can be used to prepare a query with multiple insertion points:

var userId  = 1;
var inserts = ['users', 'id', userId];
var sql = SqlString.format('SELECT * FROM ?? WHERE ?? = ?', inserts);
console.log(sql); // Outputs: SELECT * FROM `users` WHERE `id` = 1

Where are the sqlstring docs?

The documentation of SqlString can be found in the README file of the package, available on the SqlString Github repository. The README file provides a comprehensive overview of how to use various functions of SqlString, how to install it, and other crucial information about the package. The Github repository serves as the primary source of documentation for SqlString, making it easier for developers to utilize the package to its full potential.