### Installation Source: https://www.npmjs.com/package/sqlstring?activeTab=code Install the sqlstring package using npm. ```APIDOC ## Installation ```bash $ npm install sqlstring ``` ``` -------------------------------- ### Install sqlstring Package Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Install the sqlstring package using npm. ```bash npm install sqlstring ``` -------------------------------- ### Install sqlstring Package Source: https://www.npmjs.com/package/sqlstring Install the sqlstring package using npm. This is the first step to using its SQL formatting capabilities. ```bash $ npm install sqlstring ``` -------------------------------- ### Using Objects and toSqlString with SqlString.format() Source: https://www.npmjs.com/package/sqlstring?activeTab=readme Demonstrates how to use objects and the `toSqlString` method for dynamic SQL generation, including using `SqlString.raw()` for unescaped values. ```APIDOC ### Using Objects and `toSqlString` You may have noticed that this escaping allows you to do neat things like this: ```javascript var post = {id: 1, title: 'Hello MySQL'}; var sql = SqlString.format('INSERT INTO posts SET ?', post); console.log(sql); // INSERT INTO posts SET `id` = 1, `title` = 'Hello MySQL' ``` And the `toSqlString` method allows you to form complex queries with functions: ```javascript var CURRENT_TIMESTAMP = { toSqlString: function() { return 'CURRENT_TIMESTAMP()'; } }; var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]); console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42 ``` To generate objects with a `toSqlString` method, the `SqlString.raw()` method can be used. This creates an object that will be left un-touched when using in a `?` placeholder, useful for using functions as dynamic values: **Caution** The string provided to `SqlString.raw()` will skip all escaping functions when used, so be careful when passing in unvalidated input. ```javascript var CURRENT_TIMESTAMP = SqlString.raw('CURRENT_TIMESTAMP()'); var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]); console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42 ``` ``` -------------------------------- ### Using Raw MySQL Functions in Queries Source: https://www.npmjs.com/package/sqlstring?activeTab=readme Shows how to combine SqlString.format() with SqlString.raw() to include dynamic MySQL functions (like NOW()) within your queries, ensuring they are treated as SQL code rather than string literals. ```APIDOC ## PUT /api/users/{userId} ### Description Updates an existing user's information. ### Method PUT ### Endpoint /api/users/{userId} ### Parameters #### Path Parameters - **userId** (string) - Required - The unique identifier of the user to update. #### Request Body - **username** (string) - Optional - The new username for the user. - **email** (string) - Optional - The new email address for the user. ### Request Example ```json { "email": "john.doe.updated@example.com" } ``` ### Response #### Success Response (200) - **id** (string) - The unique identifier for the updated user. - **username** (string) - The updated username. - **email** (string) - The updated email address. #### Response Example ```json { "id": "user-12345", "username": "johndoe", "email": "john.doe.updated@example.com" } ``` ``` -------------------------------- ### Formatting Queries with Placeholders using SqlString.format() Source: https://www.npmjs.com/package/sqlstring?activeTab=code Shows how to use `SqlString.format()` with `?` placeholders for automatic value escaping and query formatting, including handling multiple placeholders and different data types. ```APIDOC ## Formatting Queries with Placeholders Alternatively, you can use `?` characters as placeholders for values you would like to have escaped like this: ### Basic Usage ```javascript var userId = 1; var sql = SqlString.format('SELECT * FROM users WHERE id = ?', [userId]); console.log(sql); // SELECT * FROM users WHERE id = 1 ``` ### Multiple Placeholders Multiple placeholders are mapped to values in the same order as passed. For example, in the following query `foo` equals `a`, `bar` equals `b`, `baz` equals `c`, and `id` will be `userId`: ```javascript var userId = 1; var sql = SqlString.format('UPDATE users SET foo = ?, bar = ?, baz = ? WHERE id = ?', ['a', 'b', 'c', userId]); console.log(sql); // UPDATE users SET foo = 'a', bar = 'b', baz = 'c' WHERE id = 1 ``` **Caution**: This also differs from prepared statements in that all `?` are replaced, even those contained in comments and strings. ### Value Type Escaping Different value types are escaped differently: * **Numbers**: Left untouched. * **Booleans**: Converted to `true` / `false`. * **Date objects**: Converted to `'YYYY-mm-dd HH:ii:ss'` strings. * **Buffers**: Converted to hex strings, e.g. `X'0fa5'`. * **Strings**: Safely escaped. * **Arrays**: Turned into a list, e.g. `['a', 'b']` turns into `'a', 'b'`. * **Nested arrays**: Turned into grouped lists (for bulk inserts), e.g. `[['a', 'b'], ['c', 'd']]` turns into `('a', 'b'), ('c', 'd')`. * **Objects with `toSqlString` method**: `.toSqlString()` is called, and the returned value is used as the raw SQL. * **Objects**: Turned into `key = 'val'` pairs for each enumerable property. If the property's value is a function, it is skipped; if it's an object, `toString()` is called on it. * **`undefined` / `null`**: Converted to `NULL`. * **`NaN` / `Infinity`**: Left as-is (MySQL does not support these and will trigger errors). ### Object Formatting This escaping allows for neat object formatting: ```javascript var post = {id: 1, title: 'Hello MySQL'}; var sql = SqlString.format('INSERT INTO posts SET ?', post); console.log(sql); // INSERT INTO posts SET `id` = 1, `title` = 'Hello MySQL' ``` ### Using `toSqlString` for Dynamic Values The `toSqlString` method allows forming complex queries with functions: ```javascript var CURRENT_TIMESTAMP = { toSqlString: function() { return 'CURRENT_TIMESTAMP()'; } }; var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]); console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42 ``` ``` -------------------------------- ### Formatting SQL Queries Source: https://www.npmjs.com/package/sqlstring?activeTab=code Learn how to use `SqlString.format` to prepare SQL queries with multiple insertion points, ensuring proper escaping for both identifiers and values to prevent SQL injection. ```APIDOC ## Formatting Queries You can use `SqlString.format` to prepare a query with multiple insertion points, utilizing the proper escaping for ids and values. ### Example 1: Basic Query Formatting ```javascript var userId = 1; var inserts = ['users', 'id', userId]; var sql = SqlString.format('SELECT * FROM ?? WHERE ?? = ?', inserts); console.log(sql); // SELECT * FROM `users` WHERE `id` = 1 ``` This provides a safe, escaped query ready to be sent to the database. ### Example 2: Using `SqlString.raw()` with Formatting This can be further combined with the `SqlString.raw()` helper to generate SQL that includes MySQL functions as dynamic values. ```javascript var userId = 1; var data = { email: 'foobar@example.com', modified: SqlString.raw('NOW()') }; var sql = SqlString.format('UPDATE ?? SET ? WHERE `id` = ?', ['users', data, userId]); console.log(sql); // UPDATE `users` SET `email` = 'foobar@example.com', `modified` = NOW() WHERE `id` = 1 ``` ### Advanced Options When passing an Object to `.escape()` or `.format()`, `.escapeId()` is used to avoid SQL injection in object keys. You also have the option to pass in `stringifyObject` and `timeZone` to provide custom means of turning objects into strings and handling timezone-aware Dates. ``` -------------------------------- ### Format Queries with Raw SQL Functions Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Combine `SqlString.format()` with `SqlString.raw()` to include MySQL functions as dynamic values within your queries. This allows for dynamic SQL generation while maintaining safety. ```javascript var userId = 1; var data = { email: 'foobar@example.com', modified: SqlString.raw('NOW()') }; var sql = SqlString.format('UPDATE ?? SET ? WHERE `id` = ?', ['users', data, userId]); console.log(sql); // UPDATE `users` SET `email` = 'foobar@example.com', `modified` = NOW() WHERE `id` = 1 ``` -------------------------------- ### Format query with ?? and ? placeholders Source: https://www.npmjs.com/package/sqlstring Prepare a query using `SqlString.format` with `??` for identifiers and `?` for values. This method safely escapes all provided arguments. ```javascript var userId = 1; var inserts = ['users', 'id', userId]; var sql = SqlString.format('SELECT * FROM ?? WHERE ?? = ?', inserts); console.log(sql); // SELECT * FROM `users` WHERE `id` = 1 ``` -------------------------------- ### Usage Source: https://www.npmjs.com/package/sqlstring?activeTab=code Import the sqlstring module into your Node.js project. ```APIDOC ## Usage ```javascript var SqlString = require('sqlstring'); ``` ``` -------------------------------- ### Formatting Queries with Placeholders Source: https://www.npmjs.com/package/sqlstring?activeTab=readme Illustrates the use of SqlString.format() to create parameterized SQL queries. This method handles proper escaping for both identifiers (using `??`) and values (using `?`), preventing SQL injection vulnerabilities. ```APIDOC ## GET /api/users/{userId} ### Description Retrieves details for a specific user identified by their ID. ### Method GET ### Endpoint /api/users/{userId} ### Parameters #### Path Parameters - **userId** (string) - Required - The unique identifier of the user to retrieve. #### Query Parameters - **include_posts** (boolean) - Optional - If true, includes the user's posts in the response. ### Response #### Success Response (200) - **id** (string) - The unique identifier for the user. - **username** (string) - The username of the user. - **email** (string) - The email address of the user. - **posts** (array) - Optional - An array of post objects if `include_posts` is true. #### Response Example ```json { "id": "user-12345", "username": "johndoe", "email": "john.doe@example.com", "posts": [ { "id": "post-abc", "title": "My First Post" } ] } ``` ``` -------------------------------- ### Format queries with placeholders Source: https://www.npmjs.com/package/sqlstring?activeTab=readme Use SqlString.format() with '?' placeholders to automatically escape values. ```javascript var userId = 1; var sql = SqlString.format('SELECT * FROM users WHERE id = ?', [userId]); console.log(sql); // SELECT * FROM users WHERE id = 1 ``` ```javascript var userId = 1; var sql = SqlString.format('UPDATE users SET foo = ?, bar = ?, baz = ? WHERE id = ?', ['a', 'b', 'c', userId]); console.log(sql); // UPDATE users SET foo = 'a', bar = 'b', baz = 'c' WHERE id = 1 ``` -------------------------------- ### Format Query with Multiple Placeholders Source: https://www.npmjs.com/package/sqlstring?activeTab=versions SqlString.format() maps multiple '?' placeholders to values in the order they are provided. This is useful for updating multiple fields in a query. ```javascript var userId = 1; var sql = SqlString.format('UPDATE users SET foo = ?, bar = ?, baz = ? WHERE id = ?', ['a', 'b', 'c', userId]); console.log(sql); // UPDATE users SET foo = 'a', bar = 'b', baz = 'c' WHERE id = 1 ``` -------------------------------- ### Format SQL Queries with Placeholders Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Utilize `SqlString.format()` to prepare SQL queries with placeholders for identifiers (`??`) and values (`?`). This method automatically applies the correct escaping for safe query execution. ```javascript var userId = 1; var columns = ['username', 'email']; var sql = SqlString.format('SELECT ?? FROM ?? WHERE id = ?', [columns, 'users', userId]); console.log(sql); // SELECT `username`, `email` FROM `users` WHERE id = 1 ``` ```javascript var userId = 1; var inserts = ['users', 'id', userId]; var sql = SqlString.format('SELECT * FROM ?? WHERE ?? = ?', inserts); console.log(sql); // SELECT * FROM `users` WHERE `id` = 1 ``` -------------------------------- ### Using SqlString.raw() for Unescaped Values Source: https://www.npmjs.com/package/sqlstring?activeTab=code Explains how to use `SqlString.raw()` to create objects that will be left untouched by escaping functions, useful for dynamic values like SQL functions. ```APIDOC ## Using `SqlString.raw()` for Unescaped Values To generate objects with a `toSqlString` method, the `SqlString.raw()` method can be used. This creates an object that will be left un-touched when using in a `?` placeholder, useful for using functions as dynamic values: **Caution**: The string provided to `SqlString.raw()` will skip all escaping functions when used, so be careful when passing in unvalidated input. ### Example ```javascript var CURRENT_TIMESTAMP = SqlString.raw('CURRENT_TIMESTAMP()'); var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]); console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42 ``` ``` -------------------------------- ### Format Query with Placeholder Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Use SqlString.format() with '?' placeholders to automatically escape values. This method is similar to prepared statements but replaces all '?' characters, including those in comments and strings. ```javascript var userId = 1; var sql = SqlString.format('SELECT * FROM users WHERE id = ?', [userId]); console.log(sql); // SELECT * FROM users WHERE id = 1 ``` -------------------------------- ### Escaping SQL Identifiers Source: https://www.npmjs.com/package/sqlstring?activeTab=code Demonstrates how to escape SQL identifiers (database, table, or column names) to prevent SQL injection when they are provided by users. It also shows how to handle qualified identifiers and literal identifiers. ```APIDOC ## Escaping Query Identifiers If you can't trust an SQL identifier (database / table / column name) because it is provided by a user, you should escape it with `SqlString.escapeId(identifier)`. ### Example 1: Basic Escaping ```javascript var sorter = 'date'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter); console.log(sql); // SELECT * FROM posts ORDER BY `date` ``` ### Example 2: Qualified Identifiers It also supports adding qualified identifiers. It will escape both parts. ```javascript var sorter = 'date'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId('posts.' + sorter); console.log(sql); // SELECT * FROM posts ORDER BY `posts`.`date` ``` ### Example 3: Literal Identifiers If you do not want to treat `.` as qualified identifiers, you can set the second argument to `true` in order to keep the string as a literal identifier. ```javascript var sorter = 'date.2'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter, true); console.log(sql); // SELECT * FROM posts ORDER BY `date.2` ``` ### Example 4: Using `??` as Placeholders for Identifiers Alternatively, you can use `??` characters as placeholders for identifiers you would like to have escaped. ```javascript var userId = 1; var columns = ['username', 'email']; var sql = SqlString.format('SELECT ?? FROM ?? WHERE id = ?', [columns, 'users', userId]); console.log(sql); // SELECT `username`, `email` FROM `users` WHERE id = 1 ``` **Note**: The `??` placeholder syntax is experimental and subject to change. ``` -------------------------------- ### SqlString.format() Source: https://www.npmjs.com/package/sqlstring?activeTab=dependencies Formats a SQL query string by replacing '?' placeholders with escaped values. ```APIDOC ## SqlString.format(sql, values) ### Description Formats a SQL query by replacing '?' placeholders with values from the provided array. This is the recommended way to build queries safely. ### Parameters - **sql** (string) - Required - The SQL query string containing '?' placeholders. - **values** (array) - Required - An array of values to replace the placeholders. ### Request Example ```javascript var sql = SqlString.format('UPDATE users SET foo = ?, bar = ? WHERE id = ?', ['a', 'b', 1]); ``` ### Response - **string** - The fully formatted SQL query string. ``` -------------------------------- ### Format Query with Object for SET Clause Source: https://www.npmjs.com/package/sqlstring?activeTab=versions When using an object with SqlString.format() and a '?' placeholder in the SET clause, the object's properties are converted into key = 'value' pairs. This is convenient for INSERT or UPDATE statements. ```javascript var post = {id: 1, title: 'Hello MySQL'}; var sql = SqlString.format('INSERT INTO posts SET ?', post); console.log(sql); // INSERT INTO posts SET `id` = 1, `title` = 'Hello MySQL' ``` -------------------------------- ### Format Query with Raw SQL String Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Use SqlString.raw() to create an object whose value will be inserted directly into the query without any escaping. This is useful for dynamic values like SQL functions, but use with caution as it bypasses security checks. ```javascript var CURRENT_TIMESTAMP = SqlString.raw('CURRENT_TIMESTAMP()'); var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]); console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42 ``` -------------------------------- ### Escaping Query Values with SqlString.escape() Source: https://www.npmjs.com/package/sqlstring?activeTab=code Demonstrates how to escape individual user-provided values to prevent SQL injection using the `SqlString.escape()` method. ```APIDOC ## Escaping Query Values **Caution**: These methods of escaping values only work when the `NO_BACKSLASH_ESCAPES` SQL mode is disabled (which is the default state for MySQL servers). In order to avoid SQL Injection attacks, you should always escape any user provided data before using it inside a SQL query. You can do so using the `SqlString.escape()` method: ### Example ```javascript var userId = 'some user provided value'; var sql = 'SELECT * FROM users WHERE id = ' + SqlString.escape(userId); console.log(sql); // SELECT * FROM users WHERE id = 'some user provided value' ``` ### Direct Escaping If you feel the need to escape queries by yourself, you can also use the escaping function directly: ```javascript var sql = 'SELECT * FROM posts WHERE title=' + SqlString.escape('Hello MySQL'); console.log(sql); // SELECT * FROM posts WHERE title='Hello MySQL' ``` ``` -------------------------------- ### Require sqlstring Module Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Import the sqlstring module into your JavaScript project. ```javascript var SqlString = require('sqlstring'); ``` -------------------------------- ### Format Query with Custom SQL Function Source: https://www.npmjs.com/package/sqlstring?activeTab=versions To include SQL functions or dynamic values that should not be escaped, create an object with a `toSqlString` method. This method's return value will be used directly in the query. ```javascript var CURRENT_TIMESTAMP = { toSqlString: function() { return 'CURRENT_TIMESTAMP()'; } }; var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]); console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42 ``` -------------------------------- ### Format query with ?? placeholders for identifiers Source: https://www.npmjs.com/package/sqlstring Use `SqlString.format` with `??` placeholders to escape multiple identifiers, such as column names and table names, within a query. ```javascript var userId = 1; var columns = ['username', 'email']; var sql = SqlString.format('SELECT ?? FROM ?? WHERE id = ?', [columns, 'users', userId]); console.log(sql); // SELECT `username`, `email` FROM `users` WHERE id = 1 ``` -------------------------------- ### Direct Escaping with SqlString.escape() Source: https://www.npmjs.com/package/sqlstring?activeTab=readme An alternative method to directly use SqlString.escape() for manual query construction. ```APIDOC ### Direct Escaping If you feel the need to escape queries by yourself, you can also use the escaping function directly: ```javascript var sql = 'SELECT * FROM posts WHERE title=' + SqlString.escape('Hello MySQL'); console.log(sql); // SELECT * FROM posts WHERE title='Hello MySQL' ``` ``` -------------------------------- ### SqlString.raw() Source: https://www.npmjs.com/package/sqlstring?activeTab=dependencies Creates a raw object that will not be escaped when used in a query. ```APIDOC ## SqlString.raw(sql) ### Description Creates an object that will be left untouched when used in a '?' placeholder. Useful for injecting SQL functions like CURRENT_TIMESTAMP(). ### Parameters - **sql** (string) - Required - The raw SQL string to be injected. ### Request Example ```javascript var val = SqlString.raw('CURRENT_TIMESTAMP()'); var sql = SqlString.format('UPDATE posts SET modified = ?', [val]); ``` ### Response - **object** - An object with a toSqlString method that returns the raw input. ``` -------------------------------- ### Value Type Escaping Rules Source: https://www.npmjs.com/package/sqlstring?activeTab=readme Understand how different data types are escaped by sqlstring. ```APIDOC ### Value Type Escaping Rules Different value types are escaped differently, here is how: * Numbers are left untouched * Booleans are converted to `true` / `false` * Date objects are converted to `'YYYY-mm-dd HH:ii:ss'` strings * Buffers are converted to hex strings, e.g. `X'0fa5'` * Strings are safely escaped * Arrays are turned into list, e.g. `['a', 'b']` turns into `'a', 'b'` * Nested arrays are turned into grouped lists (for bulk inserts), e.g. `[['a', 'b'], ['c', 'd']]` turns into `('a', 'b'), ('c', 'd')` * Objects that have a `toSqlString` method will have `.toSqlString()` called and the returned value is used as the raw SQL. * Objects are turned into `key = 'val'` pairs for each enumerable property on the object. If the property's value is a function, it is skipped; if the property's value is an object, toString() is called on it and the returned value is used. * `undefined` / `null` are converted to `NULL` * `NaN` / `Infinity` are left as-is. MySQL does not support these, and trying to insert them as values will trigger MySQL errors until they implement support. ``` -------------------------------- ### Treat '.' as literal in identifiers Source: https://www.npmjs.com/package/sqlstring If you need to treat a dot '.' as part of a literal identifier rather than a separator, pass `true` as the second argument to `SqlString.escapeId`. ```javascript var sorter = 'date.2'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter, true); console.log(sql); // SELECT * FROM posts ORDER BY `date.2` ``` -------------------------------- ### Directly Escape String for Query Source: https://www.npmjs.com/package/sqlstring?activeTab=versions If you prefer to manually construct SQL strings, you can use SqlString.escape() directly on string values. This is an alternative to using SqlString.format(). ```javascript var sql = 'SELECT * FROM posts WHERE title=' + SqlString.escape('Hello MySQL'); console.log(sql); // SELECT * FROM posts WHERE title='Hello MySQL' ``` -------------------------------- ### SqlString.escape() Source: https://www.npmjs.com/package/sqlstring?activeTab=dependencies Escapes a single value to be safely used in a SQL query. ```APIDOC ## SqlString.escape(value) ### Description Escapes a user-provided value to prevent SQL injection attacks. This method should be used when manually constructing SQL strings. ### Parameters - **value** (any) - Required - The value to be escaped. ### Request Example ```javascript var userId = 'some user provided value'; var sql = 'SELECT * FROM users WHERE id = ' + SqlString.escape(userId); ``` ### Response - **string** - The escaped SQL string. ``` -------------------------------- ### Escape User Provided Data Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Use SqlString.escape() to prevent SQL injection by escaping user-provided string values before including them in a SQL query. This method is effective when the NO_BACKSLASH_ESCAPES SQL mode is disabled. ```javascript var userId = 'some user provided value'; var sql = 'SELECT * FROM users WHERE id = ' + SqlString.escape(userId); console.log(sql); // SELECT * FROM users WHERE id = 'some user provided value' ``` -------------------------------- ### Escape SQL Identifiers Source: https://www.npmjs.com/package/sqlstring?activeTab=versions Use `SqlString.escapeId()` to safely escape database, table, or column names provided by users. This prevents SQL injection when identifiers cannot be trusted. ```javascript var sorter = 'date'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter); console.log(sql); // SELECT * FROM posts ORDER BY `date` ``` ```javascript var sorter = 'date'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId('posts.' + sorter); console.log(sql); // SELECT * FROM posts ORDER BY `posts`.`date` ``` ```javascript var sorter = 'date.2'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter, true); console.log(sql); // SELECT * FROM posts ORDER BY `date.2` ``` -------------------------------- ### Escape a single SQL identifier Source: https://www.npmjs.com/package/sqlstring Use `SqlString.escapeId` to escape a single database, table, or column name when it's provided by a user. This prevents SQL injection. ```javascript var sorter = 'date'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter); console.log(sql); // SELECT * FROM posts ORDER BY `date` ``` -------------------------------- ### Escape qualified SQL identifiers Source: https://www.npmjs.com/package/sqlstring Escape identifiers that include a table name and column name, such as 'posts.date'. `SqlString.escapeId` will escape both parts. ```javascript var sorter = 'date'; var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId('posts.' + sorter); console.log(sql); // SELECT * FROM posts ORDER BY `posts`.`date` ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.