Support of Escaping query identifiers

Question

I am using Sequelize 2.0.0 in my node project and my dialect is mysql. For now, i am preferring to use raw SQL queries instead of using Sequelize ORM methods.

I am not able to find any example or documentation regarding "How to use Escaping query identifiers with my SQL queries" in Sequelize.

I want to escape quotes in some case while performing insert or update operations.

I want some support like which i found in node-mysql https://github.com/felixge/node-mysql#escaping-query-identifiers

Can you provide me with some short SQL query (either insert or update) I guess, the Replacements document provided http://sequelizejs.com/docs/latest/usage#raw-queries is something different which i am not looking for. or i might be wrong. I want to know will replacement solves my escape issue ?

Thanks

Answer 1

There is no point in looking for any documentation regarding "How to use Escaping query identifiers with my SQL queries" in Sequelize. Because Sequelize has absolutely nothing to do with Mysql identifiers.

So, to format an identifier, you have to enclose in in backticks and double backticks inside.

Answer 2

mysql_real_escape_string is a PHP function, you can't use it with a JS library.

Sequelize is an ORM, it abstracts the SQL away (and, looking at the documentation, I can't see an API for injecting raw SQL using it). You don't need to manually escape strings before inserting them into SQL because you aren't writing SQL yourself.

---

I've found the documentation for raw queries.

You can see in the documentation that it uses parameterized queries:

sequelize.query('SELECT * FROM projects WHERE status = :status ', null, {raw: true}, { status: 'active' }).success(function(projects) {
  console.log(projects)
})

These are the preferred way to escape text for SQL (this also true in PHP).