Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No sanitize method? #116

Open
thpglobal opened this issue Jul 29, 2021 · 3 comments
Open

No sanitize method? #116

thpglobal opened this issue Jul 29, 2021 · 3 comments
Labels
enhancement New feature or request

Comments

@thpglobal
Copy link

It appears that there is no method for sanitizing strings to be safe for mysql. Generally, mysql drivers include this. I found a simple one on stack overflow here (much shorter than the super-long one on nodejs.

@AnInternetTroll
Copy link

The library auto sanitizes all input with this library https://deno.land/x/[email protected]/util.ts

@zumoshi
Copy link

zumoshi commented Nov 24, 2021

Wouldn't it have been better if instead of sanitizing by escaping as string and formatting the values into the SQL string itself we used the binary protocol to send placeholder values separately?

https://dev.mysql.com/doc/internals/en/com-stmt-execute.html

@manyuanrong manyuanrong added the enhancement New feature or request label Feb 14, 2022
@suchislife801
Copy link

suchislife801 commented Dec 13, 2023

Here is what I currently use so far:

// Deno function to escape MySQL select, insert, update, delete query values
function _escape(value: string | number): string {

  if (typeof value !== 'string') {
    // Handle non-string values appropriately
    // For example, convert to string or return a default string
    value = String(value);
  }

  return value.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, (char: string) => {
    switch (char) {
      case "\0":
        return "\\0";
      case "\x08":
        return "\\b";
      case "\x09":
        return "\\t";
      case "\x1a":
        return "\\z";
      case "\n":
        return "\\n";
      case "\r":
        return "\\r";
      case "\"":
      case "'":
      case "\\":
      case "%":
        return "\\" + char;
      default:
        return char;
    }
  });
}

/* DELETE record from table */
const sqlDeleteProject: string = 
`DELETE FROM tblProjects 
  WHERE 
    id = '${_escape(reqBody.params.id)}'
  LIMIT 1;`;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants