How to include a java script variable values inside a MySQL insert statement

Question

I took some values with the help of Java script variables. And I tried to insert those values into DB (MySQL) in Bizmapper (Bizlink), but it throws some error:

[Error is --> " Failed to execute SQL insert into po_ref_table values (4200913801AA, DEAM, 067,Joseph Keefe,jkeefe@synovos.com,W.W. Grainger, Inc.) failed to execute. Reason: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Keefe,jkeefe@synovos.com,W.W. Grainger, Inc.)' at line 1."].

I tried this way which one mentioned below:

MySQL_DB.open(true);

// Get necessory data //
var erp_PONum        = mek.targetDocument.getRootSegment("ST").getSegment("BEG").getEDIElement("BEG03").getData();
var erp_OriginSystem = mek.targetDocument.getRootSegment("ST").getSegment("BEG").getRecord("WFG_BEG").getField("WF_OriginSystem").getData();
var erp_SiteCode     = mek.targetDocument.getRootSegment("ST").getSegment("BEG").getRecord("WFG_BEG").getField("WF_SiteCode").getData();
var erp_BuyerName    = mek.targetDocument.getRootSegment("ST").getSegment("BEG").getRecord("WFG_BEG").getField("WF_BuyerName").getData();
var erp_BuyerEmail   = mek.targetDocument.getRootSegment("ST").getSegment("BEG").getRecord("WFG_BEG").getField("WF_BuyerEmail").getData();
var erp_SupplierName = mek.targetDocument.getRootSegment("ST").getSegment("BEG").getRecord("WFG_BEG").getField("WF_SupplierName").getData();

//Inser into Table//

MySQL_DB.command("insert into po_ref_table Values ("+ erp_PONum +", "+ erp_OriginSystem +", "+ erp_SiteCode +","+ erp_BuyerName +","+ erp_BuyerEmail +","+ erp_SupplierName +")");

//Close DB//

MySQL_DB.close();

How can I solve this?

Answer 1

Beware of SQL Injection vulnerabilities! Use parameter holders in your query.

var args = [erp_PONum, erp_OriginSystem, erp_SiteCode, erp_BuyerName, erp_BuyerEmail, erp_SupplierName];
MySQL_DB.command("insert into po_ref_table Values (?,?,?,?,?,?)",[args]);