Is escape enough to prevent sql injection?

const mysql = require('mysql2');
const con = mysql.createConnection({
  host: "****",
  user: "****",
  password: "****",
  database: "****"
app.get('/:userId', function(req, res) {
      if(req.params.userId.match(/^[0-9]+$/) != null){
        con.query("select * from users where user_id = "+con.escape(req.params.userId), function (err, result, fields) {
        if (err || result[0] == null){
          res.status(404).send('The page was not found');
        res.render('pages/index', {
        console.log("The user entered letters and/or special characters");
          res.status(404).send('The page was not found.');

I want to prevent sql injection, is checking for special characters + escape enough to provide high level security?
I didn’t find much documentation on how escape works, that’s why I’m asking