13

I want to write an SQL query that contains a NodeJS variable. When I do this, it gives me an error of 'undefined'.

I want the SQL query below to recognize the flightNo variable. How can a NodeJS variable be input into an SQL query? Does it need special characters around it like $ or ?.

app.get("/arrivals/:flightNo?", cors(), function(req,res){
var flightNo = req.params.flightNo;

connection.query("SELECT * FROM arrivals WHERE flight = 'flightNo'", function(err, rows, fields) {
Improve this question

2 Answers 2

Reset to default
26

You will need to put the value of the variable into the SQL statement.

This is no good:

"SELECT * FROM arrivals WHERE flight = 'flightNo'"

This will work, but it is not safe from SQL injection attacks:

"SELECT * FROM arrivals WHERE flight = '" + flightNo + "'"

To be safe from SQL injection, you can escape your value like this:

"SELECT * FROM arrivals WHERE flight = '" + connection.escape(flightNo) + "'"

But the best way is with parameter substitution:

app.get("/arrivals/:flightNo", cors(), function(req, res) {
  var flightNo = req.params.flightNo;

  var sql = "SELECT * FROM arrivals WHERE flight = ?";
  connection.query(sql, flightNo, function(err, rows, fields) {
  });
});

If you have multiple substitutions to make, use an array:

app.get("/arrivals/:flightNo", cors(), function(req, res) {
  var flightNo = req.params.flightNo;
  var minSize = req.query.minSize;

  var sql = "SELECT * FROM arrivals WHERE flight = ? AND size >= ?";
  connection.query(sql, [ flightNo, minSize ], function(err, rows, fields) {
  });
});
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Should I use connection.escape even when I want to use "INSERT INTO table" command ? So it should be like this: "INSERT INTO table VALUES ('" + connection.escape(flightNo) + "'")"
You should protect against SQL injection with every query. Better to use connection.query('INSERT INTO table VALUES (?)', flightNo, function(err, result) { });
This is how am doing it: var sql = "INSERT INTO admins VALUES(null, '" + adminUser +"', '" + adminPass + "', '" + adminName + "' , '"+ adminSurname +"') "; con.query(sql,function(error, rows, fields){ if(!!error) { console.log('Query Failed' + error.message); } else { console.log('Query Successful'); console.log(rows.insertId); next(); } });
@ChristosMichael You should be escaping those values. I'd do it with parameter substitution: codeshare.io/2WbdvY
IBM_DB requires the parameters be an array even if there's only one of them.
-1

From ES6 you can use template literals with ${expression}.

Template literals are literals delimited with backtick (`) characters, allowing multi-line strings and interpolation with expressions.

Use like this:

connection.query(`
SELECT * 
FROM arrivals 
WHERE flight = ${flightNo}
`, //rest of your code
Improve this answer

1 Comment

Don't use this, as this is direct sql injection example.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.