I'm getting ER_PARSE_ERROR when question mark (?) is added into message variable.
My code :
socket.on("chat message", (data) => {
const { sender, receiver, message, ad_id, category_id } = data;
const sql = `INSERT INTO tbl_user_chats (sender,receiver,message,ad_id,category_id) VALUES (${sender}, ${receiver}, '${message}', ${ad_id}, ${category_id})`;
con.query(sql,data, function (err, result) {
if (err) throw err;
console.log("1 record inserted");
});
Error :
code: 'ER_PARSE_ERROR',
errno: 1064,
sqlMessage: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1531', `receiver` = 735, `message` = 'yeah fine, and you ?', `created_at` = 1663' at line 1",
sqlState: '42000',
index: 0,
sql: "INSERT INTO tbl_user_chats (sender,receiver,message,ad_id,category_id) VALUES (1531, 735, 'yeah fine, and you `sender` = '1531', `receiver` = 735, `message` = 'yeah fine, and you ?', `created_at` = 1663745307202, `ad_id` = 182, `category_id` = 3', 182, 3)"
If i not add message by excluding question mark (?) it works and inserted into table.
How to fix the parse error when i include question mark character in my message ?
CodePudding user response:
You should never add external input into queries directly (search "SQL injection").
Instead, use the escaping methods provided by the mysql
library:
const { sender, receiver, message, ad_id, category_id } = data;
const sql = `INSERT INTO tbl_user_chats (sender,receiver,message,ad_id,category_id) VALUES (?, ?, ?, ?, ?)`;
con.query(sql, [ sender, receiver, message, ad_id, category_id ], ...)