40

How do escape a MySQL LIKE statement in node-mysql?

Something along the lines of

"SELECT * FROM card WHERE name LIKE '%" + connection.escape(req.body.search) + "%'"

Results in 

'SELECT * FROM card WHERE name LIKE \'%\'hello\'%\''

Which is a syntax error. If I use the alternative syntax of

connection.query("SELECT * FROM card WHERE name LIKE '%?%'", req.body.search, function () {});

Results in a similar syntax error. I've also tried

connection.query("SELECT * FROM card WHERE name LIKE ?", '%' + req.body.search + '%', function () {});

Which just ends up escaping the '%' sign.

dtsn
  • 1,077
  • 1
  • 10
  • 17
  • Third example is correct, what is the exact problem you are seeing? Note that if you want to search for strings that literally contain percent signs that's [trickier](http://stackoverflow.com/questions/2106207/escape-sql-like-value-for-postgres-with-psycopg2/2106443#2106443). – bobince Jul 29 '13 at 11:46

6 Answers6

44

Not sure why it's escaping the % in your last example, because that works fine for me:

// lifted from my code:
var value = 'ee20e966289cd7';
connection.query('SELECT * from django_session where session_key like ?', '%' + value + '%', ...)

// Result:
[ { session_key: '713ee20e966289cd71b936084a1e613e', ... } ]

When I turn on debugging in the driver (pass debug:true as argument to mysql.createConnection), it doesn't escape the percent sign:

{ command: 3,
  sql: 'SELECT * from django_session where session_key like \'%ee20e966289cd7%\'' }

(it does escape the single quote, but that's for display purposes only)

(using mysql@2.0.0-alpha8)

robertklep
  • 198,204
  • 35
  • 394
  • 381
  • What if I want to do something like this? `query = 'SELECT * from Events e where e.Zipcode='+mysql.escape(req.body.near)+" and e.EventName LIKE %"+mysql.escape(req.body.find)+'%';` and then have this passed to query the db? I am getting the same error – zealouscoder Oct 12 '20 at 04:59
  • I get an error like this: `Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sometext'%')' at line 1. I don't understand why it's putting in the extra single quotes! – Michael Apr 28 '22 at 18:38
19

i've had success with something like

"SELECT * FROM card WHERE name LIKE " + connection.escape('%'+req.body.search+'%')
Gary
  • 421
  • 3
  • 4
  • This works. connection.escape works in a weird manner. I was trying to put the % sign around the connection.escape and then get something like %'value'%. That would totally ruin the query. But got this correct now. Thanks to you. Cheers! – Parth May 03 '19 at 05:59
8

How about

mysql.format("SELECT * FROM card WHERE name LIKE CONCAT('%', ?,  '%')", req.body.search)

?

Lukasz Prus
  • 343
  • 1
  • 5
  • 10
0

you can always do 

variable = '%${variable}%'
"SELECT * FROM 'table' WHERE ('foo' LIKE ?);", 
[variable], callback =>
Maximilian Ast
  • 3,369
  • 12
  • 36
  • 47
Rodrigo Pazzini Jacques
  • 11
  • 3
0

I had the same problem and solved it like this:

function search(searchTerm) {

    let replacement = `'%${searchTerm}%'`;

    let sqlStatement = `SELECT * from  clients where firstName LIKE ${replacement}`;

    const [rows, fields, error] = connection.query(sqlStatement);

    return rows;

}
AML
  • 1
  • 1
0

Simple and easy way:

`SELECT * FROM card WHERE name LIKE ` + connection.escape(`%${req.body.search}%`)
Hammad Ali
  • 331
  • 3
  • 12