2016-12-25 回答
使用escape()对传入参数进行编码
var userid = 1, name = 'test';
var query = connection.query('select * from users where id = ' + connection.escape(userid) + ', name = ' + connection.escape(name), function(err, results) {
// ...
});
console.log(query.sql); // select * from users where id = 1, name = 'test'
使用connection.query()的查询参数占位符
var userid = 1, name = 'test';
var query = connection.query('select * from users where id = ?, name = ?', [userid, name], function(err, results) {
// ...
});
console.log(query.sql); // select * from users where id = 1, name = 'test'
使用escapeid()编码sql查询标识符
var sorter = 'date';
var sql = 'select * from posts order by ' + connection.escapeid(sorter);
connection.query(sql, function(err, results) {
// ...
});
使用mysql.format()转义参数
var userid = 1;
var sql = "select * from ?? where ?? = ?";
var inserts = ['users', 'id', userid];
sql = mysql.format(sql, inserts); // select * from users where id = 1