Package Exports

sql-escape-string

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (sql-escape-string) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

sql-escape-string

Simple SQL string escape.

const escapeString = require('sql-string-escape')
const sqlString = "Sup'er"
console.log(escapeString(sqlString)) // => Sup''er

Installation

npm install sql-escape-string

Note

Original implementation from sqlstring with the added option of supporting or not supporting backslash.

API

escapeString

Escapes the given string to protect against SQL injection attacks.

By default it assumes that backslashes are not supported as they are not part of the standard SQL spec. Quoting from the SQLlite web site:

C-style escapes using the backslash character are not supported because they are not standard SQL.

This means three things:

backslashes and double quotes " are not escaped by default
single quotes are escaped via '' instead of \'
your sql engine should throw an error when encountering a backslash escape as part of a string, unless it is a literal backslash, i.e. 'backslash: \\'.

It is recommended to set the backslashSupported option true if your SQL engine supports it. In that case backslash sequences are escaped and single and double quotes are escaped via a backslash, i.e. '\''.

Parameters

val String the original string to be used in a SQL query
$0 Object opts
- $0.backslashSupported Boolean? if true backslashes are supported (optional, default false)
opts

Returns String the original string escaped wrapped in single quotes, i.e. 'mystring'

License

MIT