search

tediousjs / node-mssql

Microsoft SQL Server client for Node.js
https://tediousjs.github.io/node-mssql
MIT License
2.22k stars 464 forks source link

How to add order by from user input? #1640

Closed sytranvn closed 2 months ago

sytranvn commented 2 months ago

How can I do this?

request.input("order_by", ?, "id")
request.input("order", ?, "asc")
        SELECT 
          *
        FROM table
        ORDER BY @order_by @order
dhensby commented 2 months ago

It's not possible to pass identifiers (ie: column names, table names, etc) as parameters in SQL so this isn't possible as you've shown.

To do something like that you'll need a whitelist of allowed columns / orders and construct the query off the back of that, rather than allowing users to provide raw column names, etc.