-1

While running this SQLITE statement, I am getting error: incomplete input

return db.run(
  `INSERT INTO articles(article_id, title, author, article) VALUES `+"('"+article_id+"', '"+data.title+"', '"+data.author+"', '"+data.article+"')",
  (err) => callback(err, article_id));

What's wrong in it? I have logged all the data inputs, but they are having correct values in the query(i.e. no values missing). Is it due to wrong syntax? Please help.

Improve this question
1
  • 1
    What's wrong? You are munging the query string with literal values. You need to learn to use parameters. Commented Jun 28, 2020 at 21:11

1 Answer 1

Reset to default
3

I suspect that one of your variables contains a character that clashes with the query string - such as a single quote for example.

Don't mungle variables in your query string. This is both unsafe (it opens up your code to SQL injection), inefficient (the database can't recognize that you are running the same query), and error-prone.

Instead, use a parameterized query:

return db.run(
    "INSERT INTO articles(article_id, title, author, article) VALUES (?, ?, ?, ?)"
    [ article_id, data.title, data.author, data.article ],
    (err) => callback(err, article_id)
);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I was using this parameterized code earlier, but still it was not working. I just dropped my table and it worked normally.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.