0
0
Node.jsframework~5 mins

Query parameterization for safety in Node.js

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Introduction

Query parameterization helps keep your database safe by stopping bad code from sneaking in. It makes sure user inputs are treated as data, not commands.

When you get user input to search or filter data in a database.
When you insert or update data that comes from a form or API.
When you want to protect your app from hackers trying to break your database.
When you build any feature that talks to a database using user data.
Syntax
Node.js
const sql = 'SELECT * FROM users WHERE id = ?';
const params = [userId];
db.query(sql, params, (err, results) => {
  if (err) throw err;
  console.log(results);
});

Use placeholders like ? or named parameters depending on your database library.

Pass user inputs as separate parameters, not inside the query string.

Examples
This example safely searches products by category and price using two parameters.
Node.js
const sql = 'SELECT * FROM products WHERE category = ? AND price < ?';
const params = ['books', 20];
db.query(sql, params, callback);
This safely inserts a new user with name and email from user input.
Node.js
const sql = 'INSERT INTO users (name, email) VALUES (?, ?)';
const params = [userName, userEmail];
db.query(sql, params, callback);
This safely updates an order's status using parameters.
Node.js
const sql = 'UPDATE orders SET status = ? WHERE order_id = ?';
const params = ['shipped', orderId];
db.query(sql, params, callback);
Sample Program

This program safely fetches user data by id using query parameterization. It prevents harmful input from changing the query.

Node.js
import mysql from 'mysql2';

const db = mysql.createConnection({
  host: 'localhost',
  user: 'root',
  password: '',
  database: 'shop'
});

const userId = 5; // Imagine this comes from user input

const sql = 'SELECT * FROM users WHERE id = ?';
const params = [userId];

db.query(sql, params, (err, results) => {
  if (err) {
    console.error('Database error:', err);
    return;
  }
  console.log('User data:', results);
});
OutputSuccess
Important Notes

Never build SQL queries by joining strings with user input directly.

Most database libraries support parameterized queries; check your library's docs.

Parameterization also helps with performance by allowing query caching.

Summary

Query parameterization keeps your database safe from injection attacks.

Always pass user inputs as separate parameters, not inside query strings.

Use your database library's parameter syntax to write safe queries.