5

This probably has a really easy answer but I'm not seeing it.

I want to do a raw query using Sequelize:

var sequelize = require('sequelize');
sequelize
   .query("LOAD DATA LOCAL INFILE :file
           INTO TABLE :table
           FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
          null,
          {raw:true},
          {file: datasetPath, table: "dataset_" + datasetName})

The issue is that the replacement string includes single quotes for both the :file replacement (which is good because it's a path) and the :table replacement (which is bad because it's just supposed to be an unadorned table name, and breaks the query). How do I avoid those quotes in the case of the table name replacement?

Thanks.

ropeladder
  • 1,103
  • 11
  • 24
  • 1
    To get around it I suppose you could use tableName.replace(/['"]+/g, '') which removes quotes round strings, see http://stackoverflow.com/questions/19156148/i-want-to-remove-double-quotes-from-a-string – mwarren Sep 29 '14 at 12:20

2 Answers2

0

If you're sure that datasetName will never contain any possibility of SQL injections, you can directly insert the table name into the query, like so:

sequelize
   .query("LOAD DATA LOCAL INFILE :file
           INTO TABLE dataset_" + datasetName + "
           FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
          null,
          {raw:true}, {file: datasetPath})

The comment posted by mwarren doesn't really really work in this case - Sequelize is seeing that it is a string being inserted, and accordingly escapes it.

bakavic
  • 1,297
  • 10
  • 11
0

the question is more generally stated: how do you get sequelize query replacements which are not supposed to be strings output? e.g. simple integer value in insert statement. The replacement values always are single quoted, no matter what. ‍♂️

Adivate
  • 361
  • 2
  • 13