sqlstring

This is the escape utility extracted from the mysql package itself, and it's remarkably straightforward in production. You get format() for parameterized queries with ? placeholders, escape() for individual values, and escapeId() for identifiers. Zero dependencies means zero supply chain risk, and it's completely stateless so there's no connection management or resource leaking to worry about.

In practice, it handles the common types well - strings, numbers, booleans, dates, arrays, and nulls all escape correctly. The format function supports both positional (?) and named (??) placeholders for identifiers. Performance is excellent since it's just string manipulation with no I/O. I've used this in high-throughput services where we build dynamic queries based on user filters, and it's never been a bottleneck.

The main limitation is it's purely a string utility - no query builder features, no type validation, and no protection against logical SQL injection if you're concatenating table names improperly. You still need to understand SQL injection vectors. Also, it's MySQL-specific escaping rules, so don't assume it works for PostgreSQL or other databases.

In practice, sqlstring does exactly what it promises: provides reliable SQL escaping for MySQL queries. The API is straightforward with `escape()`, `escapeId()`, and `format()` methods that handle the most common parameterization needs. I've used it extensively in legacy projects where we needed to manually construct queries, and it consistently produces properly escaped output that prevents SQL injection.

The format function with `?` placeholders works well for simple cases, and the automatic type handling (strings, numbers, booleans, dates, arrays) saves boilerplate. Critically, it doesn't try to be clever—it's a pure escaping library without hidden query execution, which aligns with secure-by-default thinking.

The main limitation is that it hasn't been updated since 2022, though MySQL escaping rules are stable enough that this isn't immediately concerning. Error handling is minimal—bad inputs generally return escaped strings rather than throwing, which could mask issues. For new projects, I'd still recommend a query builder or ORM with prepared statements, but for maintaining existing code or lightweight scripts, sqlstring remains a trustworthy tool.

sqlstring does exactly what it promises: provides basic SQL escaping and formatting for MySQL queries. The API is minimal with just a few methods like `escape()`, `escapeId()`, and `format()`. It works reliably for preventing SQL injection in legacy codebases or simple scripts where you're building raw SQL strings. The `format()` method supports `?` placeholders similar to prepared statements, which is its most useful feature.

The developer experience is quite dated, though. TypeScript support exists but is minimal—types are present but lack detailed generics or helpful inference. Documentation is sparse, essentially just a README with basic examples. Error messages are cryptic or non-existent; invalid inputs often just get stringified in unexpected ways rather than throwing clear errors. There's no validation guidance for what can safely be escaped.

In modern projects, you're almost always better served by ORMs like Prisma or query builders like Knex that provide parameterized queries natively. sqlstring feels like a relic from the pre-ORM era. It's functional for quick-and-dirty SQL construction, but you'll miss the safety nets and ergonomics of contemporary database libraries.