0

I think the table I'm trying to query isn't normalized (not my dataset). Whenever my where clause includes a value that is not a number I get the error below. It's as if the value of the where clause is confused with the column name itself. Now if I change the column to a field that only contains numbers, it executes without error. Any idea as to why this is happening?

  name: 'ERROR',
  event: 'errorMessage',
  number: 207,
  state: 1,
  class: 16,
  message: "Invalid column name 'somestring'.",
  serverName: 'server1234\\SQLEXPRESS',
  procName: '',
  lineNumber: 1

var express = require('express');
var app = express();

app.get('/', function (req, res) {

 var sql = require("mssql");

 // config for your database
 var config = {
     user: 'username',
     password: 'password',
     server: 'server1234',
     database: 'dbname1234'
 };

 // connect to your database
 sql.connect(config, function (err) {

     if (err) console.log(err);

     // create Request object
     var request = new sql.Request();

     // query to the database and get the records
     request.query('select * from dbo.recordset3 where column4=somestring', function (err, recordset) {

         if (err) console.log(err)

         // send records as a response
         res.send(recordset);

     });
 });
});

var server = app.listen(5000, function () {
 console.log('Server is running..');
});```
Improve this question
2
  • You need to put somestring in quotes or mysql thinks you're referencing a column. So your query should be: request.query('select * from dbo.recordset3 where column4="somestring"', function (err, recordset) { Commented Mar 11, 2020 at 17:45
  • Thanks Mark! This is what I thought initially. However - I was getting results with ints without using the quotes. For instance, when I used another field that had numerical values (int) it would return the result regardless. The quotes also need to be escaped or it will not work. For record results with datatypes that are not int - it requires escaped quotes. Commented Mar 11, 2020 at 18:38

3 Answers 3

Reset to default
1

Solved! when using where you need to use escaped single quotes.

where column4 = \'somestring\'

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0 
request.query(('select * from users WHERE username=' + '\'' + req.body.username + '\''), function (err, recordset) {
Improve this answer

Comments

0

U should use request.input function to pass values to query to avoid sql injection attempts.

https://www.npmjs.com/package/mssql#input-name-type-value

https://www.npmjs.com/package/mssql#sql-injection

    // create Request object
    var request = new sql.Request();

    //use request.input 
    request.input('column4',sql.VarChar,"somestring");

    // query to the database and get the records
    request.query('select * from dbo.recordset3 where column4=@column4', function (err, recordset) {
        if (err) console.log(err)
             // send records as a response
             res.send(recordset);
         });
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.