Pedro
Reputation: 23
Preparing statement with input in Nodejs and Sqlite3
I'm trying to read from my database using the sqlite3 package in NodeJS. In the code I have:
var sqlite = require('sqlite3');
var db = new sqlite.Database('myDatabase.db');
var someUserInput = 'Some given id by the user';
db.all(
'SELECT * FROM MyTable WHERE userId="' + someUserInput + '"',
function(err, rows) { /* Do something here */});
Instead of directly adding the user input, I would like to be able to prepare the statement properly, in order to avoid any malicious input from the user.
I have tried:
db.prepare('SELECT * FROM MyTable WHERE userId=?', someUserInput).sql
But that still gives me:
'SELECT * FROM MyTable WHERE userId=?'
With no replacement from the input.
Thanks!
Upvotes: 2
Views: 1680
Answers (1)
jkeeler
Reputation: 1008
I think you almost had it with your db.all call. Try passing your user value as a parameter:
db.all(
'SELECT * FROM MyTable WHERE userId=?',
someUserInput,
function(err, rows) { /* Do something here */});
Source: https://github.com/mapbox/node-sqlite3/wiki/API#databaseallsql-param--callback
Upvotes: 1
Related Questions
- NodeJS, sqlite3, and WHERE IN paramaters
- How to use Prepared statements with npm sqlite library on node js
- Insert row to table in SQLite and Node.js
- How to combine multiple queries from sqlite3 table from node.js
- How to assign a variable to the output of a sqlite query in node js
- Getting SQLITE ERROR incomplete input error. What's wrong?
- Sqlite3 putting input field values into insert statement
- Preparing statement in Node js with SQLite3 for GET query
- binding variables to SQL statements using node-sqlite3
- Variable sqlite3 query in nodejs