const {tableName,recordId,idName}= req.query;
const arrayParam=[tableName,idName,recordId];
let sqlstmt="UPDATE ? SET status = 'deleted' WHERE ? = ?"
db.query(sqlstmt,arrayParam,(err,result) => {
if(err){console.log('Error occured while fetching user information',err)
res.send(err)
}
console.log(result);
res.send(result);
});
});
Error:
sqlMessage: "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''trainingRecords' SET status = 'deleted' WHERE 'recordId' = '10000107'' at line 1",
sqlState: '42000',
index: 0,
sql: "UPDATE 'trainingRecords' SET status = 'deleted' WHERE 'recordId' = '10000107'"
In the above snippet, from my understanding, it's the " ' " (single quotes added in the parameterization) that is causing the issue. Any suggestions to fix this?
Don't use prepared statements to inject table names or fields that you are using to filter or update. Try using this query.
UPDATE trainingRecords SET status = 'deleted' WHERE recordId = ?
Related
I have a (currently localhost, but soon to be through AWS) Node.JS server with Express and I'm trying to update an RDS instance through a MySQL query when I'm getting the following error:
{ [Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''history0' = 'http://localhost:3000/' WHERE id = 1' at line 1]
code: 'ER_PARSE_ERROR',
errno: 1064,
sqlMessage: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'\'history0\' = \'http://localhost:3000/\' WHERE id = 1\' at line 1',
sqlState: '42000',
index: 0,
sql: 'UPDATE infected SET \'history0\' = \'http://localhost:3000/\' WHERE id = 1;' }
The POST request causing the error:
app.post('/history', function(req, res) {
var hist = 'history' + 0;
var sql = 'UPDATE infected SET ? = ? WHERE id = ?;';
connection.query(sql, [hist, req.body[0].url, 1]);
});
I'm using hist as a variable because I plan to have it in a loop, but I wasn't sure if the way I'm declaring it here is causing the issue so I left it as is. req.body is the output of JSON.stringify() called on call to chrome.history.search(). So I'm trying to get the URL of the entry at index 0.
I've tried a direct call to connection.query with a hard-coded string as follows:
connection.query("UPDATE infected SET history0='google.com' WHERE id='1'");
and it successfully updates the database, so I figure there's an issue with how I'm using the question marks to insert variables hist and req.body[0].url into the query, but I can't figure out what the issue is.
try with double "??" for the keys, this way:
app.post('/history', function(req, res) {
var hist = 'history' + 0;
var sql = 'UPDATE infected SET ?? = ? WHERE id = ?;';
connection.query(sql, [hist, req.body[0].url, 1]);
});
I've got a dynamically assigned number of rows which I need to update. I created an array of arrays to keep all of those values and send them in one query. Each array contains three values A - a value which I want to update and B, C - keys necessary to recognize which row need to be updated.
var arrData = [];
arrData[0] = [43,54,67];
arrData[1] = [56,68,75];
arrData[2] = [43,67,75];
...
var query = "UPDATE my_table SET A_row = ? WHERE B_row = ? AND C_row = ?";
connection.query(query,[arrData], function(err,response){
if(err)
{
console.log(err)
}
else{ ... });
But then I get this error:
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '? AND C_row = ?' at line 1
What do I do wrong here?
Each ? needs to resolve to an actual value. So you need a loop with a counter to set the index on the array and call the query ... something like,
...
for(cnt=0;cnt< length;cnt++) {
connection.query(query,arrData[cnt], function(err,response){
if(err){console.log(err)
else{ ... });
this is part of the code i use
var insertedData = {
name: 'testname',
score: '1337'
};
connect.query('INSERT INTO table SET ?', insertedData, function(error, result){
and this is the error i got
{ [Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'table SET name = 'Hek', score = '12'' at line
1]code: 'ER_PARSE_ERROR', errno: 1064, sqlState: '42000',index: 0 }
table is a reserved word in MySQL. I'd advise to rename your table to something else. If this is absolutely not a possibility for you, you can escape it with backticks:
connect.query('INSERT INTO `table` SET ?', insertedData, function(error, result){
exports.creategroup= function(callback,name,email,firstname)
{
// var connection=pool.getConnection();
var connection=connect();
console.log(email);
console.log(firstname);
var query="CREATE TABLE "+name+"(membername varchar(50) NOT NULL,email varchar(50) NOT NULL)";
var query1="INSERT INTO'"+name+"'(membername,email) VALUES('"+email+"','"+firstname+"')";
console.log(query);
connection.query(query,function(err,result){
if(err)
{
console.log("ERROR:"+err.message);
}
else
{
if(result.length!==0)
{
console.log("DATA : "+JSON.stringify(result));
callback(err, result);
}
else
{
callback("Invalid Username", result);
}
}
//pool.returnConnection(connection);
});
//The insert into query gives an error. I can't figure out what syntax error i have made. Could someone please help. The table is being created. The error I am facing in the insert is
ERROR:ER_PARSE_ERROR: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ''sad'(membername,email) VALUES('hunur','Sachin
Mallikarjun')' at line 1
here sad was passed as the argument for table name
You've put the table Name in ' ticks, that's not valid. Below will work:
var query1="INSERT INTO "+name+" (membername,email) VALUES('"+email+"','"+firstname+"')";
Please note that you absolutely shouldn't run a query like this as it is vulnerable to mysql injection. Use the escaped query node-mysql offers instead.
var query = "INSERT INTO ?? (??,??) VALUES (?,?)";
var values = [name,'membername','email',firstname,email];
mysql.query(mysql.format(query, values), function(err,result,tableInfo){/*...*/})
Like this, node-mysql prepares the query for you. Every ?? represents a table or column name while every ? stands for a value to be inserted. You can verify this by
console.log(mysql.format(query,values));
i trying to insert json created in node.js into mysql,
but there is a error in syntax, i am not able to rectify the error,
any help will be appreciated
my code
flowController.on('2', function (_selfid,_participantId,_groupid,_allMemberContent)
{
var allMemberDetailSQL= "SELECT spFunAllMemberNotificationDetails("+ _selfid + "," + _participantId +") as groupparticipants";
console.log("allMemberDetailSQL"+allMemberDetailSQL);
client.query(allMemberDetailSQL,function(detailERROR,detailResult)
{
if (detailERROR)
console.log("detailERROR "+ detailERROR);
else
{
var detailstr='';
detailstr = JSON.stringify(detailResult);
console.log('detailResult :'+ detailstr);
console.log("detailResult "+detailResult[0].groupparticipants);
var otherArray = [detailResult[0].groupparticipants];
var _allMemberDetail = JSON.stringify({
selfid: _selfid,
groupid: _groupid,
anArray: otherArray
});
console.log("_allMemberDetail " +_allMemberDetail);
var allMemberDetail = "'"+_allMemberDetail+"'";
console.log("allMemberDetail "+allMemberDetail);
client.query("INSERT INTO cmNotification (notificationSenderId, notificationReceiverId)"+"VALUES('"+_selfid+"','"+ _allMemberDetail+ "');", function(err, rows)
{
console.log("error insert "+err);
console.log("rows insert"+rows);
//connection.release();
});
}
});
});
console output
allMemberDetailSQLSELECT spFunAllMemberNotificationDetails(20,16) as groupparticipants
detailResult :[{"groupparticipants":"userid:'15',firstname:'pitu15',lastname:'',isfriend:'1',profilepicurl:''"}]
detailResult userid:'15',firstname:'pitu15',lastname:'',isfriend:'1',profilepicurl:''
_allMemberDetail {"selfid":"20","groupid":"15","anArray":["userid:'15',firstname:'pitu15',lastname:'',isfriend:'1',profilepicurl:''"]}
allMemberDetail '{"selfid":"20","groupid":"15","anArray":["userid:'15',firstname:'pitu15',lastname:'',isfriend:'1',profilepicurl:''"]}'
detailResult :[{"groupparticipants":"userid:'16',firstname:'pitu16',lastname:'',isfriend:'0',profilepicurl:''"}]
detailResult userid:'16',firstname:'pitu16',lastname:'',isfriend:'0',profilepicurl:''
_allMemberDetail {"selfid":"20","groupid":"15","anArray":["userid:'16',firstname:'pitu16',lastname:'',isfriend:'0',profilepicurl:''"]}
allMemberDetail '{"selfid":"20","groupid":"15","anArray":["userid:'16',firstname:'pitu16',lastname:'',isfriend:'0',profilepicurl:''"]}'
error insert Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '15',firstname:'pitu15',lastname:'',isfriend:'1',profilepicurl:''"]}')' at line 1
rows insertundefined
error insert Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '16',firstname:'pitu16',lastname:'',isfriend:'0',profilepicurl:''"]}')' at line 1
rows insertundefined
Use built in parameters escaping to prevent sql injection attack. "INSERT INTO ... SET ?" also makes life easier:
client.query("INSERT INTO cmNotification SET ?", {notificationSenderId: _selfid, notificationReceiverId: _allMemberDetail}, function(err, rows) {
// ...
});