search

bestlong / node-red-contrib-mssql-plus

A Node-RED node to read and write to Microsoft MS SQL Databases
MIT License
31 stars 18 forks source link

SQL Parameter Escaping may be required? #36

Closed harmonic7 closed 3 years ago

harmonic7 commented 3 years ago

Hi There, I see that the payload.Name doesn't get escaped before inserting into the database:

INSERT INTO TempDestination VALUES ({{{payload.Id}}}, '{{{payload.Name}}}')

For instance, if we have payload.Name containing a first character of ', then the payload.Name is populated into the database as an empty string.

Steve-Mcl commented 3 years ago

Hi again @harmonic7 - it was never the intention of mustache in this node to be a substitute for actual parameters. It is litteraly a string substitute so unfortunately, if payload.name is Des O'Connor then the single quote is going to trip it up' .

Now that the node actually supports parameters, this is much easier to handle...

I will leave the issue open for @bestlong to comment, but it is my recommendation we leave mustache alone (for backwards compatibility)

Or if you are happy with the parameter solution, feel free to close this issue.

harmonic7 commented 3 years ago

Fantastic, thanks for that @Steve-Mcl. I'll use the parameter syntax that you mention above 👍

Closing now.