"Insert into" doesn't works with node.js

Question

I want a simple query for an user registration form on node.js and mysql (insert into).

This query doesn't work: it doesn't insert data in the database, I'm not sure if it is the correct way to call the query.

app.route('/adminpanel/registeruser')

.post(function(req, res) {
    pool.getConnection(function(err, connection) {
        if(err) {
            console.log(err);
            connection.release();
        } else {
            var username = req.body.username,
                password = req.body.password,
                name = req.body.name,
                email = req.body.email,        
                company = req.body.company,
                active = req.body.active,
                myquery = "INSERT INTO `oneclick`.`oc_users` (`username`,     `password`, `name`, `email`, `company`, `active`) SET ('" + username + "', '" + password + "', '" + name + "', '" + email + "', '', '" + company + "', '" + active + "')";
                connection.query(myquery, function(err, rows) {
                connection.release();   
                res.redirect('/adminpanel/newuser');
            });
        }
    });
});

Answer 1

It is not SET but VALUES, you have to change that. Also, take care about SQL Injections.

Answer 2

You're attempting to mix up an insert statement and an update statement

This is what you're doing:

INSERT INTO [...] ([...]) SET [...]

This is not possible; the SET keyword is only applied for update statements.

You should be using:

INSERT INTO table_name
VALUES (value1,value2,value3,...);

An update statement looks like this:

UPDATE table_name
SET column1=value1,column2=value2,...
WHERE some_column=some_value;

You're simply mixing them together, it has nothing to do with nodejs.

Note: take a look on how to prepare your statements to query them in a save manner.

Answer 3

You are wide open to SQL injection attacks, and it's also likely the reason your query isn't working.

Never concatenate data directly into a query like this. It isn't being escaped properly, so any reserved character becomes ambiguous. Use a parameterized query. How you do this specifically depends on whatever you're using to connect to your database, which you didn't tell us.