File tree 1 file changed +12
-0
lines changed
1 file changed +12
-0
lines changed Original file line number Diff line number Diff line change @@ -27,6 +27,18 @@ var SqlString = require('sqlstring');
2727[ NO_BACKSLASH_ESCAPES] ( https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html#sqlmode_no_backslash_escapes )
2828SQL mode is disabled (which is the default state for MySQL servers).
2929
30+ ** Caution** This library performs client-side escaping, as this is a library
31+ to generate SQL strings on the client side. The syntax for functions like
32+ ` SqlString.format ` may look similar to a prepared statement, but it is not
33+ and the escaping rules from this module are used to generate a resulting SQL
34+ string. The purpose of escaping input is to avoid SQL Injection attacks.
35+ In order to support enhanced support like ` SET ` and ` IN ` formatting, this
36+ module will escape based on the shape of the passed in JavaScript value,
37+ and the resulting escaped string may be more than a single value. When
38+ structured user input is provided as the value to escape, care should be taken
39+ to validate the shape of the input to validate the output will be what is
40+ expected.
41+
3042In order to avoid SQL Injection attacks, you should always escape any user
3143provided data before using it inside a SQL query. You can do so using the
3244` SqlString.escape() ` method:
You can’t perform that action at this time.
0 commit comments