javascript - passing parameters into sql insert

Question

I have an insert query, where i am inserting a string into my db2 database, but the string may include " or '. could I use parameters for inserting to get around this issue?

var addProducts = "insert into PRODUCTS ( ITEM, DESCRIPTION, PRICE, SIZES, IMAGE ) VALUES ('" +
  req.query.item +
  "', '" +
  req.query.description +
  "', '" +
  req.query.price +
  "', '" +
  size +
  "', '" +
  image_url +
  "' )";

that is what I have right now... thanks for help in advance :)

Answer 1

I hope this will be useful for you:

Using `` and ${}:

var addProducts = `INSERT INTO PRODUCTS ( ITEM, DESCRIPTION, PRICE, SIZES, IMAGE ) VALUES (${req.query.item}, ${req.query.description}, ${req.query.price}, ${size}, ${image_url} )`;

In the types diff to string add .toString():

req.query.price.toString();
size.toString();

And if you require the quotation mark:

var addProducts = `INSERT INTO PRODUCTS ( ITEM, DESCRIPTION, PRICE, SIZES, IMAGE ) VALUES ('${req.query.item}', '${req.query.description}', '${req.query.price}', '${size}', '${image_url}' )`;

In addition you can scape quotation marks in the string with

const str = ""'";



var addProducts = `INSERT INTO PRODUCTS ( ITEM, DESCRIPTION, PRICE, SIZES, IMAGE ) VALUES ('${req.query.item}', '${req.query.description}', '${req.query.price}', '${size}', '${image_url}' )`;

I did this exercise:

sql.connect(sqlConfig, function() {
    var request = new sql.Request();
    var stringRequest = "INSERT INTO PRODUCTS (ITEM, DESCRIPTION, PRICE, SIZES, IMAGE) VALUES ("+ req.query.item +","+ req.query.description +","+ req.query.price+","+ size +","+image_url+" )";
    request.query(stringRequest, function(err, recordset) {
        if(err) console.log(err);
        res.end(JSON.stringify(recordset)); // Result in JSON format
    });
});