How to use the sqlstring.escapeId function in sqlstring
To help you get started, we’ve selected a few sqlstring examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
midas-science / midas / source / Loader / MySQLLoader.js View on Github 
async _create_columns(table_name, columns) {
table_name = SqlString.escapeId(table_name);
let connection = await this._get_connection();
// build statement
let statement = `ALTER TABLE ${table_name}`;
columns.forEach((column, index) => {
column = this._escape_column_name(column);
statement += `ADD COLUMN \`${column}\` varchar(255),`;
})
statement = statement.slice(0, -1);
let result = await connection.query(statement);
connection.close();
return result;
}temp_c = temp_c.filter(e => e !== '`_id_midas`');
no_id = 'SET _id_midas = NULL;'
}
//temp_c.splice(1,1);
let infile_statement = `LOAD DATA LOCAL INFILE '${file_path}' INTO TABLE ${SqlString.escapeId(temporary_table_name)}
FIELDS TERMINATED BY ','
OPTIONALLY ENCLOSED BY '"'
LINES TERMINATED BY '\r\n'
IGNORE 1 LINES
(${temp_c.join(',')})
${no_id}`;
await connection.query(infile_statement);
// Insert data
let insert_statement = `INSERT INTO ${SqlString.escapeId(table_name)}
SELECT * FROM ${SqlString.escapeId(temporary_table_name)}
ON DUPLICATE KEY UPDATE ${temp_c.map(column => `${column} = VALUES(${column})` ).join(',')};`
await connection.execute(insert_statement);
// Drop temporary table
let drop_temp_table_statement = `DROP TEMPORARY TABLE ${SqlString.escapeId(temporary_table_name)}`;
await connection.execute(drop_temp_table_statement);
// Remove temporary file
await fs.remove(file_path);
// Close connection
connection.close();
}private wrapName( content: string ): string {
return escapeId( content );
}function eid(n: string): string {
return SqlString.escapeId(n, true)
}exports.getUpdateSql = (tableName, data, idKey = 'id') => {
let sql = '', params = [], holders = []
let where = ''
tableName = escapeId(tableName)
for (let key in data) {
if (key !== idKey) {
holders.push(`${escapeId(key)} = ?`)
params.push(data[key])
}
}
holders = holders.join(',')
if (data[idKey]) {
where = `where ${escapeId(idKey)} = ?`
params.push(data[idKey])
}
sql = `update ${tableName} set ${holders} ${where}`
return { sql, params }
}private wrapName( content: string ): string {
if ( this._sentenceMode ) {
return escapeId( content ).replace( /\`/g, '"' );
}
return escapeId( content );
}exports.getInsertSql = (tableName, data) => {
let columns = [], params = [], holders = [], sql = ''
tableName = escapeId(tableName)
for (let key in data) {
columns.push(escapeId(key))
holders.push('?')
params.push(data[key])
}
columns = columns.join(',')
holders = holders.join(',')
sql = `insert into ${tableName} (${columns}) values (${holders})`
return { sql, params }
}escapeId(value) {
return SqlString.escapeId(value, false);
}exports.getInsertSql = (tableName, data) => {
let columns = [], params = [], holders = [], sql = ''
tableName = escapeId(tableName)
for (let key in data) {
columns.push(escapeId(key))
holders.push('?')
params.push(data[key])
}
columns = columns.join(',')
holders = holders.join(',')
sql = `insert into ${tableName} (${columns}) values (${holders})`
return { sql, params }
}sqlstring
Simple SQL escape and format for MySQL
