Closed 8483 closed 1 year ago
That's because ConnectionPool
s don't have .input()
method. You need to create a request and use that:
router.get("/api/users/:userId", async (req, res, next) => {
try {
let userId = req.params.userId;
+ const dbReq = req.app.locals.pool.request();
- req.app.locals.pool.input("userId", sql.Int, userId); // <------- HERE
+ dbReq.input("userId", sql.Int, userId); // <------- HERE
let query = `
select *
from bi_user u
where u.id = @userId
;
`;
+ let result = await dbReq.query(query);
let final = result.recordset[0];
res.send(final);
} catch (err) {
next(err);
}
});
But you can do this all in one step using tagged template literals:
router.get("/api/users/:userId", async (req, res, next) => {
try {
let userId = req.params.userId;
- let query = `
- select *
- from bi_user u
- where u.id = @userId
- ;
- `;
-
+ let result = await req.app.locals.pool.query`SELECT * FROM [bi_user] AS [u] WHERE [u].[id] = ${userId};`;
let final = result.recordset[0];
res.send(final);
} catch (err) {
next(err);
}
});
Ahhhh, I see. Thank you so much for the reply.
A quick question... Isn't the template literal vulnerable to SQL injection?
A quick question... Isn't the template literal vulnerable to SQL injection?
No. You can read about tagged template literals. But as long as you pass the template to the query
method without braces then the library can perform the parameterisation of the query auto-magically.
You can see how it works here.
So this is not vulnerable:
const result = await req.app.locals.pool.query`SELECT * FROM [bi_user] AS [u] WHERE [u].[id] = ${userId};`;
This is vulnerable:
const result = await req.app.locals.pool.query(`SELECT * FROM [bi_user] AS [u] WHERE [u].[id] = ${userId};`);
I did not know this also. Thank you again for taking the time to help me out. God bless you!
I'm trying to follow the documentation for node mssql on creating pools.
I get this error...
Expected behaviour:
Create a gobal pool and add inputs to queries.
Actual behaviour:
Here's the code:
server.js
route.js
Configuration:
Software versions