I would recommend using ?
placeholders which performs escaping.
var query = 'SELECT email FROM users WHERE firstName LIKE \'%?%\';';
connection.query(query, [firstName], function (error, rows, fields){
//someCodeHere...
});
Also, you may want to not set multipleStatements
to true. It is false by default, but as noted in the readme, it is susceptible to SQL injections. Whether or not that is the case when input is escaped, I'm not sure.
multipleStatements: Allow multiple mysql statements per query. Be careful with this, it exposes you to SQL injection attacks. (Default: false)