2

I've been working on this problem for a while and can't seem to find any good info on it.

I'm running a node.js server on an EC2 instance and need to add rows to a MYSQL table with the following code:

client.query('SELECT curattend FROM table1 WHERE ind=1', function(err,result){
        att = result[0].curattend;
        console.log(att);

        client.query("INSERT INTO archive (attendance) VALUES ('att')", function(err,info){
                });

        console.log(att);

        });

I printed 'att' before and after just to be sure...att is equal to '233'. However, the number'0' keeps getting uploaded into the MYSQL table.

Can anyone point me to a resource that can help me solve this?

Improve this question

2 Answers 2

Reset to default
3

Based on user2246674's constructive comments, I also learned something today.

Rather than this:

client.query("INSERT INTO archive (attendance) VALUES (" + att + ")"

Try this instead:

 var att  = result[0].curattend;
 client.query("INSERT INTO archive (attendance) VALUES (?);", [att], function(err,info){ });
 // This creates the insert statement INSERT INTO archive (attendance) VALUES (att);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Oh, yay, a whole new era of SQL injection (or accidental breakage) - surely there must be a better way? Because, the last thing I want is more of this junk.
Oh, yes. This has been solved years ago, and thankfully, it's also appears solved in node.js. (It may use escaping vs proper prepared statements, but the thing is: you shouldn't have to worry about passing data to SQL!)
0

Your code should be:

('"+att+"')"
Improve this answer

1 Comment

Can you explain your answer better please?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.