escape-sql-string
v1.2.2
Published
Simple SQL string escape.
Downloads
17,537
Maintainers
Readme
escape-sql-string
Simple SQL string escape.
import escapeString from 'escape-sql-string';
const sqlString = "Sup'er"
console.log(escapeString(sqlString)) // => Sup''er
Installation
npm install escape-sql-string
Note
Original implementation from sql-escape-string with the added typescript support
API
escapeString
Escapes the given string to protect against SQL injection attacks.
By default, it assumes that backslashes are not supported as they are not part of the standard SQL spec. Quoting from the SQLite website:
C-style escapes using the backslash character are not supported because they are not standard SQL.
This means three things:
- backslashes and double quotes
"
are not escaped by default - single quotes are escaped via
''
instead of\'
- your sql engine should throw an error when encountering a backslash escape
as part of a string, unless it is a literal backslash, i.e.
'backslash: \\'
.
It is recommended to set the backslashSupported
option true
if your SQL
engine supports it. In that case backslash sequences are escaped and single
and double quotes are escaped via a backslash, i.e. '\''
.
Parameters
value
String the original string to be used in a SQL queryoptions
Object optsoptions.backslashSupported
Boolean? iftrue
backslashes are supported (optional, defaultfalse
)
opts
Returns String the original string escaped wrapped in single quotes, i.e. 'mystring'
License
MIT