Untitled

var user = req.body;
var imgurl=projectDir +"/uploads/"+req.files.displayImage.name;
var sql= "INSERT INTO users values('','"+user.name+"','"+user.email+"','"+user.user+"','"+user.pass+"','"+imgurl+"',now())";

D:
ode/uploads/canvas.png

function mysql_real_escape_string (str) {
    return str.replace(/[x08x09x1anr"'\%]/g, function (char) {
        switch (char) {
            case "":
                return "\0";
            case "x08":
                return "\b";
            case "x09":
                return "\t";
            case "x1a":
                return "\z";
            case "n":
                return "\n";
            case "r":
                return "\r";
            case """:
            case "'":
            case "\":
            case "%":
                return "\"+char; // prepends a backslash to backslash, percent,
                                  // and double/single quotes
        }
    });
}

var sql= "INSERT INTO users values('','"+user.name+"','"+user.email+"','"+user.user+"','"+user.pass+"','"+mysql_real_escape_string(imgurl)+"',now())";

var sql= "INSERT INTO users SET ?";
// Connection attained as listed above.
connection.query( sql, { name:user.name, email:user.email, user:user.user, pass:user.pass, image:imgurl, timestamp:now()}, function(err, result){
   // check result if err is undefined.
});

var mysql      = require('mysql');
var connection = mysql.createConnection(...);
var userId = 'some user provided value';
var sql    = 'SELECT * FROM users WHERE id = ' + connection.escape(userId);
connection.query(sql, function(err, results) {
  // ...
});

var mysql      = require('mysql');
var connection = mysql.createConnection(...);
var userId = 'some user provided value';
var sql    = 'SELECT * FROM users WHERE id = ' + mysql.escape(userId);
connection.query(sql, function(err, results) {
  // ...
});