-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parameterized query with a "WHERE [string] like" clause #503
Comments
The problem is that pg is reading the $1 as part of the literal string instead of a placeholder because it is wrapped in quotes. It will work if you call it like this without the quotes and with the wildcards in the values array element:
|
Thanks a bunch for the quick and helpful response! |
You're welcome 😄 |
You can make it more robust by using dynamic value from a variable using JS string interpolation |
I want to use the parameterized query feature to search a database for users whose emails contain a given search key. For example, if someone searches the string 'smith', I want to search the database with the query "select id, firstname, lastname from users where email like '%$1%' " with the value array ['smith']. For some reason, when my query is parsed, it doesn't recognize the parameter placeholder in the query.
Example:
Running this (with the correct connection string) prints out the following error:
However, if I change the query to check for "email like '%smith%' " and remove the array argument, it queries the database without any error and prints out the results.
Am I doing something dumb here that's causing this error? I don't have a lot of experience with node, so I wouldn't put it past me.
If not, I'm guessing this has to do with the way the query is parsed for parameter placeholders (i.e. that it doesn't check for them in the "like" expression). Is there by any chance a way around this? I'd prefer not to have to use a non-parameterized query and just stick the string in the middle, since then I'd have to protect against SQL injection myself (although I'm certainly open to it if there's no other option).
The text was updated successfully, but these errors were encountered: