score:0

Instead of concatenating string values in your sql commands, you should use Parametrized Queries.

See the following example:

function inputParameters() {
  // Values contain variables idicated by '@' sign
  const sql = `INSERT INTO ${table} (uniqueIdCol, intCol, nVarCharCol) VALUES (@uniqueIdVal, @intVal, @nVarCharVal)`;
  const request = new Request(sql, (err, rowCount) => {
    if (err) {
      throw err;
    }

    console.log('rowCount: ', rowCount);
    console.log('input parameters success!');
    outputParameters();
  });

  // Setting values to the variables. Note: first argument matches name of variable above.
  request.addParameter('uniqueIdVal', TYPES.UniqueIdentifier, 'ba46b824-487b-4e7d-8fb9-703acdf954e5');
  request.addParameter('intVal', TYPES.Int, 435);
  request.addParameter('nVarCharVal', TYPES.NVarChar, 'hello world');

  connection.execSql(request);
}

Related Query

More Query from same tag