2

I've been working on this problem for a while and can't seem to find any good info on it.

I'm running a node.js server on an EC2 instance and need to add rows to a MYSQL table with the following code:

client.query('SELECT curattend FROM table1 WHERE ind=1', function(err,result){
        att = result[0].curattend;
        console.log(att);

        client.query("INSERT INTO archive (attendance) VALUES ('att')", function(err,info){
                });

        console.log(att);

        });

I printed 'att' before and after just to be sure...att is equal to '233'. However, the number'0' keeps getting uploaded into the MYSQL table.

Can anyone point me to a resource that can help me solve this?

Brian Tompsett - 汤莱恩
  • 5,438
  • 68
  • 55
  • 126
pj409
  • 297
  • 1
  • 8
  • 21

2 Answers2

3

Based on user2246674's constructive comments, I also learned something today.

Rather than this:

client.query("INSERT INTO archive (attendance) VALUES (" + att + ")"

Try this instead:

 var att  = result[0].curattend;
 client.query("INSERT INTO archive (attendance) VALUES (?);", [att], function(err,info){ });
 // This creates the insert statement INSERT INTO archive (attendance) VALUES (att);
mcriecken
  • 3,048
  • 2
  • 19
  • 22
  • Oh, yay, a whole new era of *SQL injection* (or *accidental breakage*) - surely there must be a *better* way? Because, the last thing I want is more of this junk. – user2246674 Jul 25 '13 at 22:07
  • Oh, yes. This has been solved years ago, and thankfully, [it's also appears solved in node.js](http://stackoverflow.com/questions/15778572/preventing-sql-injection-in-node-js). (It may use escaping vs proper prepared statements, but the thing is: you shouldn't have to worry about passing data to SQL!) – user2246674 Jul 25 '13 at 22:10
0

Your code should be:

('"+att+"')"
Undo
  • 25,381
  • 37
  • 106
  • 126
gezzuzz
  • 178
  • 2
  • 15