Prevent Single Quotation Marks when Mysql Escape()
var user = "hi"; //this info comes from the client in reality
console.log(user); //user
user = client.escape(user); //cient being a Mysql client
console.log(user); //'user'
Then when I insert into the database, the single quotation marks are still
there. And when I select it, there are still there...
Is there a way to make sure the client isn't doing injection stuff and at
the same time, not add single quotes in the database? Or at least a way to
remove them, such as unescape()?
I can use substring(1) and substring(-1) but that doesn't seem the right
way to do it.
Note: I'm using Nodejs.
No comments:
Post a Comment