You are thinking about the problem in the wrong direction.
The correct way to prevent injection is to use the parameter mode of the official driver, because only the official version knows how to avoid being injected.
If you write SQL yourself, even if it is not injected now, maybe if one of the components involved in this link changes in the future, there will be a risk of being injected.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
As long as you directly use variables to generate sql statements, there is a risk of being injected
sortField="id"
sortOrder="; drop table users; --"
Your sql will become
You are thinking about the problem in the wrong direction.
The correct way to prevent injection is to use the parameter mode of the official driver, because only the official version knows how to avoid being injected.
If you write SQL yourself, even if it is not injected now, maybe if one of the components involved in this link changes in the future, there will be a risk of being injected.
You can directly test it with sqlmap, its engine is still very powerful