I think there's an sql injection in your /settings route. feed-query also looks extremely sketchy too. In general never build queries with javascript template strings from unsanitized user input.
Yes, totally agree with you about the SQL injection; though if you have noticed, there is no SETTINGS table there. I had left it like this to show the example cases rather than making it a full-fledged solution.
The goal was to demonstrate the creation of REST APIs with Node.js, Express, and MySQL; I am pretty sure there are so many packages out there to efficiently generate the query for MySQL engine.
By keeping things more crude, the reader who is willing to try it out will get a better idea of what is going on, rather than plugins taking care of it.
