1

I am getting data like this

category :  "c1,c2"

I am doing category.split(','); to get data like this

category:  [ 'c1', 'c2' ]

I want to pass into SQL query for IN ( ) operator like this but unable to figure out way.

SELECT * FROM employee emp WHERE .........   AND emp.category in ( 'c1','c2' ) ORDER BY..

right now if I pass category.toString() it goes like this

SELECT * FROM employee emp WHERE .........   AND emp.category in ( c1,c2 ) ORDER BY..

which gives Error : 'Unknown column 'c1' in 'where clause'',

Improve this question
7
  • Does your table have a column called c1 or c2? The error suggests not, and hence the error. Also, what RDBMS are you really using. SQL Server and MySQL are completely different products. Commented May 19, 2021 at 15:01
  • I suspect the problem is that you are injecting your values (insecurely?) and when you are you aren't wrapping them in single quotes; but without the application code that's impossible to know. If you're using SQL Server, I would suggest you look into table type parameters. Commented May 19, 2021 at 15:03
  • table does not have column with those name. column name is employee as I have mentioned in query. I am using MySQL Commented May 19, 2021 at 15:03
  • "emp.category in ( c1,c2 )" will, however, be referencing the columns c1 and c2 not the literal strings with those values. "I am using MySQL" Then please correct your tags to retag mysql, as I removed the conflicting tags. Commented May 19, 2021 at 15:05
  • We have injected values like this in whole project. It works when data is in numbers like id in ( 446766,446805). causing issue with string Commented May 19, 2021 at 15:05

2 Answers 2

Reset to default
2

You should try the Paramtries query it will solve your problem.

pass ( ? ) like this

SELECT * 
FROM employee emp 
WHERE .........   
  AND emp.category IN ( ? ) 
ORDER BY ..

You can pass your value in Parameter Array.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

As you noted, you need to have your query built as emp.category in ( 'c1','c2' ).

Your method currently generates emp.category in ( c1,c2 )

So you need a proper escaping of your values so that the ingested values are indeed quoted. It depends on how you build the query exactly, but a proper escaping mechanism should not have this problem.

start by testing with category : "'c1','c2'" just to wrap things in your head.

But you will surely need to dive into how your queries are built. An invalid escaping mechanism can lead to a lot of security issues as it will inevitably lead to SQL injections attacks.

In node.js land, you can use the https://www.npmjs.com/package/pg-format module in order to properly escape hand-built queries. You could also use a highler level query builder like knex.

Improve this answer

3 Comments

I got this solution. I am already thinking about it. But not sure how will I make it like category : "'c1','c2'"
You need to explain how you query string is build. Do you use a library (might be a bug) or just concatenate strings (not advised for SQL query building) ?
I am concatenating a string to make query but open to suggestion

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.