const escapeString = require('sql-string-escape') const sqlString = "Sup'er" console.log(escapeString(sqlString)) // => Sup''er
npm install sql-escape-string
NoteOriginal implementation from sqlstring with the added option of supporting or not supporting backslash.
escapeStringEscapes the given string to protect against SQL injection attacks.
By default it assumes that backslashes are not supported as they are not part of the standard SQL spec. Quoting from the SQLlite web site:
C-style escapes using the backslash character are not supported because they are not standard SQL.
This means three things:
- backslashes and double quotes
"are not escaped by default
- single quotes are escaped via
- your sql engine should throw an error when encountering a backslash escape
It is recommended to set the
as part of a string, unless it is a literal backslash, i.e. `'backslash: \\'`.
trueif your SQL engine supports it. In that case backslash sequences are escaped and single and double quotes are escaped via a backslash, i.e.
Returns String the original string escaped wrapped in single quotes, i.e.