Sqlite dynamic number of parameters

Hi all,
I need to pass a dynamic number of parameters to a query. For example:

SELECT * FROM test WHERE text_field = "test" OR number_field = "500" OR text_field = "value"

I know I can do it using msg.topic but I want to check sql injection so I want to do it with prepared statment. If I can't do it with prepared statment is there a better way than check it with regular expressions?

The ideal situation would be to solve the select above but at least if I can solve an IN with dynamic parameters would be something.

Example:

SELECT * FROM test WHERE ID IN(1,50,23,41)

Thanks

I know I can do it using msg.topic

If you use a function node, you can create msg.topic dynamically.

I know, but is what I am saying. I would like to do it with prepared statment. In a prepared statment can I pass also the msg.topic?

Well the sqlite node certainly supports prepared statements as you will have seen. I did some quick searching and I'm not sure how it works, been a long time since I used that node. The node notes that it uses db.all, docs for that are here:

Ok, I see it's another way to do it. I was thinking to make all with the node-red-node-sqlite but if there isn't another work around that should work. Thanks.

I will wait because maybe there is another way to do it and using node-red-node-sqlite and prepared statment.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.