"where in" MySQL query in nodejs

Question

I need to make MySQL query using "WHERE IN". This is my query:

var myQuery = 'SELECT uid FROM ' +tableName+ ' where Gender IN (' + Info.Gender.join() + ')';

If i print Info.Gender it will be ['Male', 'Female'], as a string. but when the query is done it says

SELECT uid FROM appUsers where Gender IN (Male, Female)

But should be:

SELECT uid FROM appUsers where Gender IN ('Male', 'Female')

That means it takes the Female not as a string.

Any ideas?

`' where Gender IN (\'' + Info.Gender.join("', '") + \'')';` — fuyushimoya, Dec 16 '15 at 10:24
When you're generating SQL in javascript, it's smart to always use double quotes, so you can be sure that any single quotes will be part of the SQL and not of the javascript. — SWeko, Dec 16 '15 at 10:29

score 25 · Accepted Answer · answered Dec 16 '15 at 10:52

25

You should use query escaping (provided that you're using node-mysql):

var myQuery = 'SELECT uid FROM ?? where Gender IN (?)';
connection.query(myQuery, [ tableName, Info.Gender ], ...);

answered Dec 16 '15 at 10:52

robertklep

score 2 · Answer 2 · answered Dec 16 '15 at 10:25

2

You need single quotes in your query:

var myQuery = "SELECT uid FROM " +tableName+ " where Gender IN ('" + Info.Gender.join("','") + "')";

answered Dec 16 '15 at 10:25

Clay

4

For future visitors, use escaping instead of this proposed answer. – Coo Nov 09 '19 at 02:18
will this escape user input? it seems dangerous – Luigi Mar 22 '22 at 17:53

2 Answers2