2

I've been working on this problem for a while and can't seem to find any good info on it.

I'm running a node.js server on an EC2 instance and need to add rows to a MYSQL table with the following code:

client.query('SELECT curattend FROM table1 WHERE ind=1', function(err,result){
        att = result[0].curattend;
        console.log(att);

        client.query("INSERT INTO archive (attendance) VALUES ('att')", function(err,info){
                });

        console.log(att);

        });

I printed 'att' before and after just to be sure...att is equal to '233'. However, the number'0' keeps getting uploaded into the MYSQL table.

Can anyone point me to a resource that can help me solve this?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
pj409
  • 337
  • 2
  • 9
  • 21

2 Answers2

3

Based on user2246674's constructive comments, I also learned something today.

Rather than this:

client.query("INSERT INTO archive (attendance) VALUES (" + att + ")"

Try this instead:

 var att  = result[0].curattend;
 client.query("INSERT INTO archive (attendance) VALUES (?);", [att], function(err,info){ });
 // This creates the insert statement INSERT INTO archive (attendance) VALUES (att);
mcriecken
  • 3,217
  • 2
  • 20
  • 23
  • Oh, yay, a whole new era of *SQL injection* (or *accidental breakage*) - surely there must be a *better* way? Because, the last thing I want is more of this junk. – user2246674 Jul 25 '13 at 22:07
  • Oh, yes. This has been solved years ago, and thankfully, [it's also appears solved in node.js](http://stackoverflow.com/questions/15778572/preventing-sql-injection-in-node-js). (It may use escaping vs proper prepared statements, but the thing is: you shouldn't have to worry about passing data to SQL!) – user2246674 Jul 25 '13 at 22:10
0

Your code should be:

('"+att+"')"
Undo
  • 25,519
  • 37
  • 106
  • 129
gezzuzz
  • 188
  • 2
  • 16