MySql node, how to escape queries?

andre_x · 14 July 2023 07:32

I'm using the node-red-node-mysql, but I need to escape the queries, mainly because the single quotes brakes the queries.
How can I do that?
Thanks!

Colin · 14 July 2023 08:17

Show us an example query you are trying to use.

Steve-Mcl · 14 July 2023 08:17

You don't. Use parameters instead (see the nodes readme)

It will save you from a future sequel injection hack

andre_x · 14 July 2023 08:34

Cool, thanks a lot, in this way the queries are even more readable!
I'm asking myself why in the GitHub page there's this:

By it's very nature it allows SQL injection... so be careful out there...

Steve-Mcl · 14 July 2023 08:41

That looks outdated.

The real readme is up-to-date and details the use of parameters: node-red-node-mysql (node) - Node-RED

andre_x · 14 July 2023 10:01

I'm having problem using LIKE

msg.payload.view_as == "master"){
msg.topic = "SELECT * FROM table1 WHERE column1 LIKE '%:view_as%'";

I can't seem to place that "view_as", I always get the variable name and not it's value.

Steve-Mcl · 14 July 2023 10:08

Parameters dont have quotes.
Prepare a variable beforehand and specifiy its name in the query.

msg.payload.view_as == "master"){
    msg.payload.view = '%' + msg.payload.view_as + '%'
   msg.topic = "SELECT * FROM table1 WHERE (column1 LIKE :view);

andre_x · 16 July 2023 11:08

Thanks!!!

system · 30 July 2023 11:09

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Safely inject SQL General database	4	1753	12 November 2019
SQL injection attacks security issue mysql General security , mysql	17	238	2 October 2024
MSSQL node-red installation problem General	16	1036	30 August 2020
Line break Mysql query General	3	33	21 October 2024
[SOLVED]The dreaded "query not defined as a string" mysql General	5	4634	31 October 2018

MySql node, how to escape queries?

Related topics