const mysql = require('mysql2');
const con = mysql.createConnection({
host: "****",
user: "****",
password: "****",
database: "****"
});
app.get('/:userId', function(req, res) {
if(req.params.userId.match(/^[0-9]+$/) != null){
con.query("select * from users where user_id = "+con.escape(req.params.userId), function (err, result, fields) {
if (err || result[0] == null){
console.log(err);
res.status(404).send('The page was not found');
}else{
res.render('pages/index', {
userName:result[0].user_name,
bio:"bio"
});
}
});
}else{
console.log("The user entered letters and/or special characters");
res.status(404).send('The page was not found.');
}
I want to prevent sql injection, is checking for special characters + escape enough to provide high level security?
I didn’t find much documentation on how escape works, that’s why I’m asking