Try to make the following SQL query using the node mysql2 package:
SELECT name, someObject->>"$.foo" as slice
FROM someTable;
The table someTable has 2 columns: name, a varchar; and someObject, a JSON column.
Imagine at least one row exists like this:
name someObject
==========================
John { "foo": "bar" }
The expected result of the query is:
name slice
==========================
John bar
Simply doing this works:
const result = await connection.query('SELECT name, someObject->>"$.foo" as slice FROM someTable');
However, I need the foo value escaped as it is user input. How to properly escape this?
Writing the question, I figured out the answer. Hopefully this can be helpful to others.
Considering the column / slice string: someObject->>"$.foo"
The answer is: Treat the column portion (someObject) as a column, and treat the string portion ($.foo) as a string.
So to escape it properly do this:
const columnName = "someObject";
const sliceName = "$.foo";
const sql = 'SELECT name, ??->>? as slice FROM someTable';
const values = [columnName, sliceName];
const result = await connection.query(sql, values);
Related
let r={ email:faker.internet.email() } ;
connection_var.query("insert into users set ?",r, function(err,res){
if(err) throw err;
console.log(res);
} );
connection_var.end();
I wrote this code to insert a fake email addr in already existing database and into the users table just the problem is I am not fully able to understand what and how does the " SET ?" work and how is it relating to r and what if r has more than 1 key-value pairs
? is a placeholder. It gets replaced with all the keys and values in the object passed as the next argument. So if you have
let r = {col1: 1, col2: "abc", col3: 999};
the query will become
insert into users set col1 = 1, col2 = 'abc', col3 = 999
You have 2 separated things here
First is the SET clause (for the insert) that from the documentation:
A SET clause indicates columns explicitly by name, together with the value to assign each one.
link: https://dev.mysql.com/doc/refman/8.0/en/insert.html
The other part is the ? the according to the documentation of mysqljs:
... you can use ? characters as placeholders for values you would like to
have escaped
link: https://github.com/mysqljs/mysql
So, the SET indicates the assignment list of the insert and the ? escapes the values.
I have a very simple Knex query against a MySQL table to find the maximum value of the id column:
const maxId = await knex('some_table').max('id').first()
But this returns a TextRow object with a single, oddly named property. From a console.log:
TextRow { 'max(`id`)': 99 }
Is there an easy way for me to get the value, or do I have to use object property notation like this:
const idValue = maxId['max(`id`)']
It appears the easiest answer is to alias the result, as in the second example shown here:
const maxIdQuery = await knex('some_table').max('id as maxId').first()
console.log(maxIdQuery.maxId) // shows the value
Alternate syntax:
const maxIdQuery = await knex('some_table').max('id', { as: 'max_id' })
console.log(maxIdQuery[0]['max_id'])
Hope this helps someone in the future.
I tried invoke bulk update query on mysql using knex raw method.
const ids:number[] = [1,2,3];
const values:string[] = ['apple', null, "orange"]
knex('testtable').raw(
`
UPDATE
TEST_TABLE
SET
COL1 = ELT(FIELD(id, :searchIds), :searchValues),
UPDATE_DATE = NOW()
WHERE ID IN (:searchIds)
`,
{ searchIds: ids, searchValues: values },
);`enter code here`
However, the intended result was not obtained.
This is because values contains a string and null, but theraw method's placeholders do not allow nulls.
Please tell me ,How do I set null to placeholder?
Binding array of values in knex doesn't work like that. SQL has multiple type of arrays, so those cannot be mapped to SQL unambiguous manner.
In docs: https://knexjs.org/#Raw-Bindings is an example how to pass arrays of values to knex.
const myArray = [1,2,3]
knex.raw(
`select * from users where id in (${myArray.map(() => '?').join(',')})`,
[...myArray]
);
In this case using named bindings pretty much impossible (actually named bindings are converted to positional bindings inside knex so there wont be even performance hit because of that).
I have a simple query that I want to pass an array inside which has 5 items. I am using the mysql module so I know it can be done but am not doing the synatx right and therefore getting a syntax error.
Below is the query:
`UPDATE table1 SET table1.col=0 WHERE (table1.col2) IN = (?) AND table1.id=(SELECT ...);`,[arr]
//arr = [1,2,3,4,5];
I have tried:
`UPDATE table1 SET table1.col=0 WHERE (table1.col2) IN = (?,?,?,?,?) AND table1.id=(SELECT ...);`,[arr]`
but I still get a syntax error.
Adding on to Bill Karwin's answer, you can also pass an array to the MySQL query against the '?' placeholder in the same way
WHERE table1.col2 IN (?)
//arr = [1,2,3,4,5];
Passing arr along with the query will convert it to the required SQL string. The mysql module uses the 'SqlString.arrayToList' function from 'sqlstring' module internally for the transformation:
https://github.com/mysqljs/sqlstring/blob/8f193cae10a2208010102fd50f0b61e869e14dcb/lib/SqlString.js#L60
In my case, array inside of array is needed to get this working. Just array variable as parameter passed only first number to sql.
Here is an example: (Notice ids inside of array as the second parameter)
var sql = "SELECT * FROM table WHERE ID IN (?)";
var ids = [1,2,3];
pool.query(sql, [ids], function (err, result, fields) {
if(err) {
console.log(err);
}
else {
console.log(result);
}
}
The syntax of the IN() predicate does not use =.
WHERE (table1.col2) IN = (?,?,?,?,?)
should be
WHERE table1.col2 IN (?,?,?,?,?)
Tip: you can (and should) check syntax yourself in the documentation, so you can get answers more easily than posting to Stack Overflow.
https://dev.mysql.com/doc/refman/5.7/en/comparison-operators.html#function_in
I have a simple nodejs application which executes the following query.
select * from User where userid in (?)
The userids i get is a JSON array send from client side. How can i use that in this select query ? I tried
1. As itself but not working.
2. Convert this to Javascript array, not working
If you are using node module like mysql, the 2nd approach should work.
var query=select * from User where userid in (?);
var data=['a','b','c'];
var queryData=[data];
conn.query(query, queryData, function (err, results) {})
According to the documentation, "Arrays are turned into list, e.g. ['a', 'b'] turns into 'a', 'b'". So this approach should work (I have used it practically).
If you pass an array to the parameter it works with node mysql2. Parameters are already passed as arrays, so your first parameter needs to be an array [[1,2,3]].
select * from User where userid in (?)
const mysql = require('mysql2/promise');
async function main(){
let db = await mysql.createPool(process.env.MYSQL_URL);
let SQL = 'select * from User where userid in (?)';
let [res, fields] = await db.query(SQL, [[1,2,3]]);
console.log(res)
return res;
}
main().then(() => {process.exit()})
Revisiting this, since the original approach on the question is valid, but with some caveats. If your only escaped argument is the one on the IN clause, then you have to specify it as nested array; something like: [['usrId1', 'usrId2', 'usrIdN']]. This is because the un-escaping functionality expects an array, replacing each '?' with the corresponding array element. So, if you want to replace your only '?' with an array, that array should be the first element of all arguments passed. If you had more than one '?', the syntax is more intuitive, but at the end consistent and the same; in this case, you could have your arguments similar to: ['myOtherArgument1', 'myOtherArgument2', ['usrId1', 'usrId2', 'usrIdN'], 'myOtherArgument3']
Something like this could work!
// get your possible IDs in an array
var ids = [1,2,3,4,5];
// then, create a dynamic list of comma-separated question marks
var tokens = new Array(ids.length).fill('?').join(',');
// create the query, passing in the `tokens` variable to the IN() clause
var query = `SELECT * FROM User WHERE userid IN (${tokens})`;
// perform the query
connection.query(query, ids, (err, data) => {
// do something with `err` or `data`
});
You can do like this:
select * from User where userid in (?,?,?,?)
var array = [];
array.push(value);
array.push(value);
array.push(value);
array.push(value);
then use array as parameter that should be bind.
// get query string data with commas
var param=req.params['ids'];
//damy data var param = [1,2,3,4,5];
var array = params.split(",").map(Number);
//Note in select query don't use " and ' ( inverted commas & Apostrophe)
// Just use ` (Grave accent) first key off numeric keys on keyboard before one
con.query(`select * from TB_NAME where COL IN(?)`,[array],(err,rows,fields)=>{
res.json(rows);
});
let val = ["asd","asd"]
let query = 'select * from testTable where order_id in (?)';
connection.query(query, [val], function (err, rows) {
});
In Node, you need to put array in the array.
Update: Please see this answer. It is the correct way to do what is asked in the question.
The methods I have tried are:
Expand JSON array to a string in the required format. Concatenate it with query using '+'. (Beware of SQL injections)
Dynamically add '?' using length of JSON array holding user ids. Then use the array to provide user ids.
Both works. I then changed my logic with a better approach so now i don't need then 'in' clause anymore.