how do i use “?” as variables for my values so that i don't get hacked?

All we need is an easy explanation of the problem, so here it is.

I was wondering how do I use question marks so that I don’t get hacked because when I use this:

SQL = "INSERT INTO users (id, username) VALUES ( " + + ", " + + ")"

it gives me an error: Unknown column '(my username)' in 'field list'

I know you will say that there is already a post like this, but I am kinda a beginner still so I don’t understand what they are saying

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Caution These methods of escaping values only works when the NO_BACKSLASH_ESCAPES SQL mode is disabled (which is the default state for MySQL servers).

In order to avoid SQL Injection attacks, you should always escape any user provided data before using it inside a SQL query. You can do so using the mysql.escape(), connection.escape() or pool.escape() methods:

var userId = 'some user provided value';
var sql    = 'SELECT * FROM users WHERE id = ' + connection.escape(userId);
connection.query(sql, function (error, results, fields) {
  if (error) throw error;
  // ...


Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply