是的，我们应该为此使用准备好的语句和 ? 作为占位符.为了使它工作，我们应该将参数作为单独的参数传递:

Yes, we should use prepared statements for that and ? as placeholders. In order to make it work, we should pass parameters as a separate argument:

const query = 'SELECT * FROM products WHERE id = ?';
const params = [req.param.id];
connection.query(query, params, function (error, results, fields) {

另一种形式:

connection.query(
    {
        sql: 'SELECT * FROM products WHERE id = ?',
        values: [req.param.id]
    },
    function (error, results, fields) {

有关更多示例，请参阅文档.

See documentation for more examples.