Use replacements with raw Sequelize query: avoid single quotes?

Question

Use replacements with raw Sequelize query: avoid single quotes?

This probably has a very simple answer, but I don't see it.

I want to make a raw request using Sequelize:

var sequelize = require('sequelize');
sequelize
   .query("LOAD DATA LOCAL INFILE :file
           INTO TABLE :table
           FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
          null,
          {raw:true},
          {file: datasetPath, table: "dataset_" + datasetName})

The problem is that the replacement string includes single quotes for replacement :file

(which is good, because that is the path) and replacement :table

(which is bad, because it just has to be a name without a name, and splits the query). How to avoid these quotes in case of table name replacement?

Thank.

+3

javascript sql node.js mysql sequelize.js

ropeladder 29 Sep '14 at 5:11

source to share

1 answer

bakavic · Answer 1 · 2015-05-02T11:53:16+0000

If you are sure that it datasetName

will never contain SQL injection capabilities, you can directly insert the table name into the query, for example:

sequelize
   .query("LOAD DATA LOCAL INFILE :file
           INTO TABLE dataset_" + datasetName + "
           FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
          null,
          {raw:true}, {file: datasetPath})

The comment posted by mwarren doesn't really really work in this case - Sequelize sees it inserted into a string and escapes it accordingly.

Use replacements with raw Sequelize query: avoid single quotes?

More articles: