0

I am using @el3um4s/node-mdb package, so when i sql the commands

SELECT * 
FROM API_DATA 
WHERE TRNo = 1002 
AND VehicleNo = 'AP16TT1002'

like this i am getting correct query result but when i tried adding variables to it like

SELECT * 
FROM API_DATA 
WHERE TRNo = ${trNo} 
AND VehicleNo = '${vehicleNo}'

by taking them from url, it is returning empty

    const location = req.query.location;
    const vehicleNo = req.query.VehicleNo; // Use the correct case for VehicleNo
    const trNo = req.query.TRNo; 
    if (vehicleNo) {
        sql += ` AND VehicleNo='${vehicleNo}'`;
    }

    if (trNo) {
        sql += ` AND TRNo='${trNo}'`;
    }

above is some reference code if you need

this is the code of execution of sql after i add all params

const result = await query.sql({
        database,
        sql,
    });
    console.log(result)

Also url is not the first problem here, problem is when i console sql command which it becomes after getting from url is same

url => localhost:3000/?VehicleNo=AP16TT2001&TRNo=1002
Shadow
  • 33,525
  • 10
  • 51
  • 64
Keshav
  • 1
  • 1
  • This seems like you are attempting to *inject* values. Please use parameters instead – Hans Kesting Sep 01 '23 at 12:12
  • In exmple, VehicleNo changed from ``AP16TT1002`` to ``AP16TT2001``. Is row with ``AP16TT2001`` realy exists? – ValNik Sep 01 '23 at 16:08
  • What happens if you place variables outside of backticks and concatenate as needed (i.e., include single quotes in the sql string)? If `&` represents concatenation, then: sql += ` AND VehicleNo='` & ${vehicleNo} &"`'`", and similar construction for the other `AND` clause but exclude single quotes. – bugdrown Sep 02 '23 at 12:39

0 Answers0