0

Hello all this is my first question on stack overflow. I am developing an app with phonegap, with using webSQL and javascript. In my App there is a login form which takes two inputs as: username and password. when user fills these values and clicks on Login these values are checked in database table which have multiple rows. for checking values I am using this query-

var email=document.getElementById("uname").value;
tx.executeSql('SELECT * FROM USERINF Where Email=email', [], MatchPass, errorCB1);

But the query is not working with where clause with a java script variable. I have also tried many syntexes such as 

where Email=@email
where Email="+email+"

and many more but they all not worked.

Is it possible to use a javascript variable with where clause?? If yes please tell me how. if not please suggest me any other way to accomplish the task. thanks in advance.

this is my full JavascriptCode

// JavaScript Document
var db=window.openDatabase("CakeViewer", "1.0", "Cake Viewer", 2*1024*1024);

function login()
{

db.transaction(matchcred)

function matchcred(tx)
{
    var eml=document.getElementById("uname").value;
     tx.executeSql('SELECT * FROM USERINF Where Email=eml', [], MatchPass, errorCB1); 
 //problem is in above line-- the query is not executed with variable where clause. But it works fine if I use where Email="[email protected]"

}


function MatchPass(tx, results)
{
    var orgnalPass=results.rows.item(0).Password;   
    var userinputedPass=document.getElementById("pass");

    if(orgnalPass==userinputedPass.value)
    {
        window.location.href='HomePage.html';
    }
    else
    {
        errorCB();
    }
}

function errorCB(tx,err)
{
    alert("User Name or Password is not valid !");
    document.getElementById("uname").value="";
    document.getElementById("pass").value="";
}

function errorCB1()
{
    alert("Query failed");
}

function errorCB2(tx,err)
{
    alert("errorCB2"+err);
}
}
Improve this question

3 Answers 3

Reset to default
10

The easiest way is to use a questionmark (?) to specify the variables.

For example:

tx.executeSql('SELECT Data from Table Where something = ?', [email], MatchPass, errorCB1);

The ?'s get parsed from the left to the right and match the variables between [] from left to right.

Another example:

tx.executeSql('SELECT Data from Table Where email = ? AND username=?', [email, username], MatchPass, errorCB1);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks @Jens for this alternate answer
+1 as this answer also helps in preventing SQL injection
0 
tx.executeSql("SELECT * FROM USERINF Where Email='"+email+"'" ,
Improve this answer

1 Comment

Thanks for your answer SoWa. but '"+email+"' not worked, instead "'+ email+ '" worked.
-1

To get the value of the js variable email in the query you need to use + operator to concatenate. Also wrap the value with quotes as value may be string

tx.executeSql('SELECT Data from Table Where something = "'+ email+ '"', [], MatchPass, errorCB1);
Improve this answer

2 Comments

Yeah, but, assuming email comes from the user, this is a great way to get SQL injection unless you escape any potential quotes in the email value. Also, does that SQL syntax really wrap strings in double quotes? Seems wrong to me.
+1 to ErikE's comment about the security issue introduced by such a practice. Please please please don't advocate for (or accept an answer that proposes) using raw SQL statements like this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.