MySql node, how to escape queries?

I'm using the node-red-node-mysql, but I need to escape the queries, mainly because the single quotes brakes the queries.
How can I do that?

Show us an example query you are trying to use.

You don't. Use parameters instead (see the nodes readme)

It will save you from a future sequel injection hack :slight_smile:

1 Like

Cool, thanks a lot, in this way the queries are even more readable!
I'm asking myself why in the GitHub page there's this:

By it's very nature it allows SQL injection... so be careful out there...

That looks outdated.

The real readme is up-to-date and details the use of parameters: node-red-node-mysql (node) - Node-RED

I'm having problem using LIKE

msg.payload.view_as == "master"){
msg.topic = "SELECT * FROM table1 WHERE column1 LIKE '%:view_as%'";

I can't seem to place that "view_as", I always get the variable name and not it's value.

Parameters dont have quotes.
Prepare a variable beforehand and specifiy its name in the query.

msg.payload.view_as == "master"){
    msg.payload.view = '%' + msg.payload.view_as + '%'
   msg.topic = "SELECT * FROM table1 WHERE (column1 LIKE :view); 
1 Like


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.