Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 1 year ago.
Improve this question
I am following this tutorial here, crud app with node js and mysql.
My database, crud_app has a table named crud_table, and crud_table has got 3 columns, id, names, and date_added.
I am trying to make a SQL query using node js
async getAllData() {
try {
const response = await new Promise((resolve, reject) => {
const query = "SELECT * FROM names"
connection.query(query, (err, results) => {
if (err) { reject(new Error(err.message))}
resolve(results)
})
});
console.log(response);
return response;
} catch (error) {
console.log(error)
}
}
But I get this error
Error: ER_NO_SUCH_TABLE: Table 'crud_app.names' doesn't exist
And again I went to PHPMyAdmin to run this query in the console.
SELECT * FROM names
Output
It is claiming that the names column does not exist but you can clearly see the column here
Is there any way I can resolve this problem?
Your table name is crud_table and within your table you have the column names. You cant select all the date from a column by using SELECT * on the column,with SELECT you select data from your table in your case crud_table,so if you want all the names then try this "SELECT names FROM crud_table"
Related
I've been developing an "Employee leave management" web app project for our internal use using node.js with express and ejs template. Now, my employer wants me to make the app accessible through internet and I'm worried about SQL injection.
Let's say I have a button like this in html:
Edit
This will GET from index.js file:
const { edit } = require("./request");
app.get("/edit/:ReqID", edit);
This will then go to module edit in request.js file:
module.exports = {
edit: (req, res) => {
let ReqID= req.params.ReqID;
let squery = `SELECT * FROM table1 WHERE ReqID="${ReqID}";
SELECT * FROM table2 WHERE ReqID="${ReqID}";`;
db.query(squery, function (err, result) {
if (err) {
return res.status(500).send(err);
}
res.render("edit.ejs", {
srecords1: result[0],
srecords2: result[1]
})
})
}
}
There might be two or more queries in there and I'm using mysql driver for node.js with multipleStatements: true and I'm aware of warning "Support for multiple statements is disabled for security reasons (it allows for SQL injection attacks if values are not properly escaped)." This will return something like http://localhost:port/edit/reqid on the browser address box. I saw a video from youtube that says SQL Injection can be done through the browser's address box like http://localhost:port/edit/reqid;";SELECT * FROM users; so I did that and for sure I can see that syntax being send to the server. So I follow the suggestion in the video to do a placeholder like this:
module.exports = {
edit: (req, res) => {
let ReqID= req.params.ReqID;
let squery = `SELECT * FROM table1 WHERE ReqID= ?;
SELECT * FROM table2 WHERE ReqID= ?;`;
db.query(squery, [ReqID, ReqID], function (err, result) {
if (err) {
return res.status(500).send(err);
}
res.render("edit.ejs", {
srecords1: result[0],
srecords2: result[1]
})
})
}
}
Then I try the extreme http://localhost:port/edit/reqid;";DELETE FROM users; and http://localhost:port/edit/reqid;";DROP TABLE users; separately and it works! First it deletes data from users tble and for sure the second drop table command also worked. After the first attempt, I refresh the browser with the same sql injection syntax and I've got this message:
{"code":"ER_BAD_TABLE_ERROR","errno":1051,"sqlMessage":"Unknown table 'users'","sqlState":"42S02","index":1,"sql":"SELECT * FROM table1 WHERE ReqID= "ReqID;";drop table users;";SELECT * FROM table1 WHERE ReqID= "ReqID;";drop table users;";"}
So, the table users clearly have been dropped from the database.
Update:
I did further testing based on the information I gained from this answer and I did something like this:
module.exports = {
edit: (req, res) => {
let ReqID= req.params.ReqID;
db.query(`SELECT * FROM table1 WHERE ReqID= ?; SELECT * FROM table2 WHERE ReqID= ?;` , [ReqID, ReqID], function (err, result) {
if (err) {
return res.status(500).send(err);
}
res.render("edit.ejs", {
srecords1: result[0],
srecords2: result[1]
})
})
}
}
Then I re-test with multiple variation of http://localhost:port/edit/reqid;";DROP TABLE users; (double quote in between)
http://localhost:port/edit/reqid;';DROP TABLE users; (single quote in between) etc. and it doesn't seem to be dropping the table anymore. However, I still see the statement being sent to the server so I'm still wary of the DROP syntax being effective somehow.
Update 2:
Note: Fortunately, the deployment has been delayed and I have more time to sort out the issue.
After researching for a while, taking the comments into consideration and testing multiple method, I came up with this structure:
function(req, res) {
let dcode = [req.body.dcode];
let query1 =`SELECT col1, col2 FROM table1 WHERE DCode=?`;
db.query(query1, dcode, function(err, result_1) {
if (err) {
return res.status(500).send(err);
}
let query2 =`SELECT col1, col2 FROM table2 WHERE DCode=?`;
db.query(query2, dcode, function(err, result_2) {
if (err) {
return res.status(500).send(err);
}
res.render("login.ejs", {
result1: result_1,
result2: result_2
});
});
});
}
Which is simple enough and no major change to my current codes. Would this be sufficient to prevent SQL injection in node.js?
Allowing multi-statement strings, itself, invites SQL injection. So, avoid it.
Plan A:
Consider ending an array (perhaps in JSON) to the server; let it then execute each statement, and return an array of resultsets.
But it would be simpler to simply issue the statements one at a time.
(If the client and server are far apart, the one-statement-at-a-time method may cause a noticeable latency.)
Plan B:
Build suitable Stored procedures for any multi-statement needs. This, where practical, avoids multi-statement calls. And avoids latency issues (usually).
Here are a few suggestions that might help:
Never use template strings like this: Select * from table where id = ${value}. SQL injections will happen - 100%!. Instead you should use build in driver defense mechanism. Like this: query('Select * from table where id = ?', [value]). This should prevent SQL injection.
Use single statements per query. If you need to do multiple operations in one request to database - consider creating stored procedure. Stored procedures also have build in security mechanism.
Consider using query builder or ORM. They also have additional layer of security on top of build in driver one.
You could also explicitly escape SQL string with help of 3rd party library.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 2 years ago.
Improve this question
I am getting RowPacketData after executing a query, now I want to convert that RowPacketData to an array so that I can perform different operations on it.
var query = `Select products.*, product_images.Image_Name
from products INNER JOIN product_images
ON products.Id=product_images.Product_Id ORDER BY Id limit ${LimitNum} OFFSET ${startNum}`;
db.query(query , function(err,rows, fields)
{
if (err)
{
res.status(500).send({ error: 'Following Error Occured : '+ err });
console.log('Following Error Occured : ' + err);
}
else
{
res.json(rows);
console.log('20 Products Displayed on Page : ' + page);
}
})
Note : I am using node js.
I think your problem is with your db connection. You should add a check for the db connection before you do the query.
See here for example:
https://www.w3schools.com/nodejs/nodejs_mysql_select.asp
Your query and code looks correct. Start with a simpler query and expand it slowly(This will detect error in query) and also make the connection at same place with error handling. To 100% sure you have a connection.
var mysql = require('mysql');
var con = mysql.createConnection({
host: "localhost",
user: "yourusername",
password: "yourpassword",
database: "mydb"
});
con.connect(function(err) {
if (err) throw err;
con.query("Select * from products limit", function (err, result, fields) {
if (err) throw err;
console.log(result);
});
});
PS: I can not make comment so needed to write an attempt on answer directly. However should be good to know if you are sure you have a connection, so that can be taken out of the problem equation.
I have a problem I need help with a question. So the problem is I have a route to display all rows of my students table and it works, but know when I try the code below to search for a specific student_id I get:
"Failed to query for users: Error: ER_BAD_FIELD_ERROR: Unknown column 'undefined' in 'where clause'"
I have tried the queryString as:
My table has student_id, firstName, lastName, checkIn, and checkOut as columns.
They are all VARCHARS.
queryString = SELECT * FROM students WHERE student_id = ${id}
queryString = SELECT * FROM students WHERE student_id = ? and then getConnection().query(queryString, [id], (err, rows, fields) => {
But I get the same error, I would really appreciate the help.
The question that I have would be implementing after all my different search routes work as intended to display the data nicely in html, but I'm new to this and I can't find anything to help me with this problem. I would like it to display as a list almost like MySQL displays it. Is that possible? I'm using the ejs view engine as my html pages.
// Route to search by id
router.get("/searchById", (req, res) => {
const id = req.body.id
queryString = `SELECT * FROM students WHERE student_id = ${id}`
getConnection().query(queryString, (err, rows, fields) => {
// If error occures
if(err) {
console.log("Failed to query for users: " + err)
res.sendStatus(500)
return
}
if(rows) {
console.log(rows)
console.log("We fetched Students successfully")
res.json(rows)
}
})
})
For GET request you should use req.query.id
For post request you should use req.body.id
In your code you have used get request and tried to fetch req.body.id
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I'm making an app that retrieves information from SQL databases and displays the info in node, but I'm a bit stuck in trying to find a way to print the entire table as a table instead of the loose individual data. Is there an npm package that might do this that you might recommend? If not, is there an obvious way to do this I'm not seeing?
Thanks for the help.
I've used https://www.npmjs.com/package/table for this. See example for logging mysql output ( I'm using it in my simple mysql repl - https://github.com/sidorares/myki ):
const connection = mysql.createConnection(Object.assign({}, config, { rowsAsArray: true }));
const chalk = require('chalk');
function myEval(cmd, context, filename, callback) {
connection.query(cmd, (err, rows, fields) => {
if (err) {
if (!err.fatal) {
console.log(chalk.red(err.message));
return;
} else {
return callback(err);
}
}
console.log(
table([fields.map(f => chalk.bold(f.name))].concat(rows.map(r => r.map(c => util.inspect(c, { colors: true })))))
);
callback(null);
});
}
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I am trying to create an online directory, where, for example, people can search through the website and find all takeaways that have a specific type. For example:
"Indian",
"Chinese"
etc..
I have 3 tables:
Business
Tags
Business Tags
And my model is as follows:
class Business extends Model
{
protected $table = 'businesses';
protected $fillable = [
'business_name', 'postcode'
];
public function tags()
{
return $this->belongsToMany('App\Tags');
}
}
The issue is, whenever I come to do the search, and try to do a whereIn the issue is that it takes forever to load, in fact, it doesn't even load. For example:
$business = Business::whereHas('tags', function($tag) use ($request) {
if($request->get('terms'))
{
$tag->whereIn('tags.name', ['chinese']);
}
})->get();
So my question is this:
I have just over 10k rows of data stored inside the table. This table is split into three "Business", "Tags", "Business Tags". The process above is taking so long to complete, probably because I use the whereHas('tags') and whereIn therefore, how do I go about using the following syntax:
$business = Business::where( function ($business) use ($request) {
// Search for businesses with a specific tag, passed from request
});
Is this possible?
I'm just wild guessing here, but try to pull the condition outside of the function and don't specify the name of the table:
if($request->get('terms'))
{
$business = Business::whereHas('tags', function($tag) use ($request) {
$tag->whereIn('name', ['chinese']);
})->get();
}