When sending a message, sql request is made

connection.query('INSERT INTO `'+config.db_prefix+'_chat`(`user_id`, `msg`) VALUES ("'+user_id+'", "'+msg.message+'")', function (err, result) { if (err) throw err; //тут рассылка клиентам в чате });

And if the message contains such characters as / and other special characters, then the nodejs process crashes and writes an error sql syntax. How is it better to implement "shielding" without losing these characters?

    1 answer 1

    No need to substitute variables directly in the query text. The query functions can pass an array of inline variables into the query. In the query text itself, variables should be designated with question marks. Like that:

     connection.query('INSERT INTO `'+config.db_prefix+'_chat`(`user_id`, `msg`) VALUES (?,?)', [user_id,msg.message] , function (err, result) { ... });