Hi there
does this module has security feature to prevent sql injection? (e.g. simliar to https://github.com/felixge/node-mysql#escaping-query-values)
If not, any existing modules can handle this?
I think this is a very much needed feature.
This module has escaping built-in. Just use parameters to pass escaped values to your query.
var request = new sql.Request();
request.input('myval', sql.VarChar, '-- commented');
request.query('select @myval as myval', function(err, recordset) {
console.dir(recordset);
});
Thanks for the info.
I think it is an important feature to be mentioned in the doc.
On 9 Jul 2014, at 11:18 am, Patrik Simek [email protected] wrote:
This module has escaping built-in. Just use parameters to pass escaped values to your query.
var request = new sql.Request();
request.input('myval', sql.VarChar, '-- commented');
request.query('select @myval as myval', function(err, recordset) {
console.dir(recordset);
});
—
Reply to this email directly or view it on GitHub.
hi, please, add this example to the wiki.
It took me quite some time to figure it out.
I looks like it can only be used with preparedstatements
thanks
It would be nice to have some example showing how we should escape params for WHERE clause
e.g. SELECT * FROM TableName WHERE username = ?? AND email = ?? I'm not sure how I can insert values for username and email to have them escaped
Most helpful comment
It would be nice to have some example showing how we should escape params for
WHEREclausee.g.
SELECT * FROM TableName WHERE username = ?? AND email = ??I'm not sure how I can insert values forusernameandemailto have them escaped