Why is my dynamic sql resulting in the error shown below? - postgresql

I am trying to build a sql statement dynamically and this is one variation of the result.
sqlQuery {
name: 'fetch-products',
text: 'select * from products where category =
$1 and designer in $2',
values: [ 'WOMENSCLOTHING', "('Adjavon', 'ALC', 'Adele', 'Bagley')" ]
}
I build the sql with the following code segment:
const {
category,
designers,
} = JSON.parse(filters);
let values = [category];
let text = 'select * from products where category = $1';
if(designers) {
text = text + ' and designer in $2';
values.push(designers);
}
I execute it in the following segment:
try {
const allProducts = await pool.query(sqlQuery);
res.status(200).json(allProducts.rows);
} catch (error) {
console.error(error);
return res.status(500).send('Problems gettting products by category.')
}
And get the following error:
error: syntax error at or near "$2"
I am thinking the error may be the double quotes placed around designer when it is pushed on the values array:
values: [ 'WOMENSCLOTHING', "('Adjavon', 'ALC', 'Adele', 'Bagley')" ]

I don't know what library you are using exactly, but the values property looks highly suspicious.
sqlQuery {
name: 'fetch-products',
text: 'select * from products where category =
$1 and designer in $2',
values: [ 'WOMENSCLOTHING', "('Adjavon', 'ALC', 'Adele', 'Bagley')" ]
}
If your drivr/library supports this, the second element in the array should be an actual array and not a string like '("foo", "bat")'. How is the driver supposed to know this is meant as a list and not a single string that has this value?
I guess in a nutshell you have to bring the query in this form:
const query = 'select * from products where category = $1 and designer in ($2, $3, $4, $5)'
const values = [ 'WOMENSCLOTHING', 'Adjavon', 'ALC', 'Adele', 'Bagley' ]
That requires some extra work on the backend to map the values and bring them into the right shape.
I guess you could get that done with something like this:
const category = 'icecream'
const designers = ['jim', 'maria']
let values = [category];
let text = 'select * from products where category = $1';
if (designers) {
text += ` and designer in (${designers.map((d, i) => `$${i+2}`).join(', ')})`;
values = [...values, ...designers];
}
console.log(text);
console.log(values);

Related

Search by first character in a column Typeorm PostgreSQL

I have a company table where I want to search companies by their name of the first letter. In my front end I have a series of letters as checkboxes from A to z and I am passing selected letters as a,b,c in my request body.
If I execute this raw query then it is working, but how I can write this in typeorm querybuilder
select * FROM companies WHERE lower(substring(name from 1 for 1)) = ANY (ARRAY['m'])
I have tried with the query below -
public async getCompanies(
pageOptionsQuery: CompanyPageOptionsDto,
): Promise<Company[]> {
const queryBuilder = this._companyRepository
.createQueryBuilder()
.select('*');
if (!!pageOptionsQuery.filter_by) {
//pageOptionsQuery.filter_by is like series of selected letters
//a,b,c
const filters = pageOptionsQuery.filter_by.split(',');
queryBuilder.where('LOWER(name) IN (:...filters )', {
filters: filters,
});
}
return queryBuilder.getRawMany();
}
This is what I have come up with -
public async getCompanies(
pageOptionsQuery: CompanyPageOptionsDto,
): Promise<Company[]> {
const queryBuilder = this._companyRepository
.createQueryBuilder()
.select('*');
if (!!pageOptionsQuery.filter_by) {
//pageOptionsQuery.filter_by is like series of selected letters
//a,b,c
const filters = pageOptionsQuery.filter_by.split(',');
queryBuilder.where(
'LOWER(SUBSTRING(name, 1, 1)) IN (:...filters)',
{
filters,
},
);
}
return queryBuilder.getRawMany();
}

Do "$1" parameters in an ilike expression need to be escaped when used with the postgres crate's query function?

I'm using the postgres crate which makes a query with postgres::Connection. I query a table based on a string value in an ilike '%search_string%' expression:
extern crate postgres;
use std::error::Error;
//DB Create queries
/*
CREATE TABLE TestTable (
Id SERIAL primary key,
_Text varchar(50000) NOT NULL
);
insert into TestTable (_Text) values ('test1');
insert into TestTable (_Text) values ('test1');
*/
fn main() -> Result<(), Box<dyn Error>> {
let conn = postgres::Connection::connect(
"postgres://postgres:postgres#localhost:5432/notes_server",
postgres::TlsMode::None,
)?;
let text = "test";
// //Does not work
// let query = &conn.query(
// "
// select * from TestTable where _text ilike '%$1%'
// ",
// &[&text],
// )?;
//Works fine
let query = &conn.query(
"
select * from TestTable where Id = $1
",
&[&1],
)?;
println!("Rows returned: {}", query.iter().count());
Ok(())
}
If I uncomment the //Does not work part of the code, I will get the following error:
thread 'main' panicked at 'expected 0 parameters but got 1'
It appears it doesn't recognize the $1 parameter that is contained in the ilike expression. I've tried escaping the single quotes and that doesn't change it.
The only dependencies are:
postgres = { version = "0.15.2", features = ["with-chrono"] }
To my surprise, here was the fix:
let text = "%test%";
let query = &conn.query(
"
select * from TestTable where _text like $1
",&[&text],
)?;
Apparently the postgres function knows to add single quotes around strings in this scenario.
I found out about this from here: https://www.reddit.com/r/rust/comments/8ltad7/horrible_quote_escaping_conundrum_any_ideas_on/
An example should do the magic.
At the top, I am using pg. So, import it. My code looks like
const title = req.params.title;
const posts = await db.query("SELECT * FROM postsTable INNER JOIN usersTable ON postsTable.author = usersTable.username WHERE title ILIKE $1 ORDER BY postsTable.created_on DESC LIMIT 5;", [`%${title}℅`])

Conditions in prepared statements in postgres

I need to add a condition inside prepared statement in postgres.
Pseudocode (doesn't works, fires an error "argument of WHERE must be type boolean, not type text"):
if (nameFilter) {
whereParam = `name LIKE %${nameFilter}%`
} else {
whereParam = "true"
}
let query = prepare("SELECT * FROM users WHERE $1", whereParam);
Pseudocode (works but looks ugly):
if (nameFilter) {
likeParam = `%${nameFilter}%`
} else {
likeParam = "%"
}
let query = prepare("SELECT * FROM users WHERE name LIKE $1", likeParam);
For some reasons(query is really complex with a bunch of AND) manipulations with a string is not an option, so this will not help
if (nameFilter) {
q = `SELECT * FROM users WHERE name LIKE $1`
} else {
q = "SELECT * FROM users"
}
let query = prepare(q, nameFilter);
Desirable to have statement similar to SELECT * FROM users WHERE $1 AND $2 AND $3 ...
Any suggestions?
This query will work for you.
select * from users where
case
when coalesce($1, '') = '' then true
else (name ~ $1)
end;
The only thing you can pass as a parameter is a constant; you cannot pass part of an SQL query like name LIKE '%pattern%'.
So if your query is really different every time, you have to construct the SQL string in your code, just like you say you cannot do "for some reasons".
It may be annoying, but there is no other way.
When you construct an SQL statement, make sure you never concatenate strings like this:
sql = "SELECT * FROM users WHERE username ='" + username + "'"
because that would be vulnerable to SQL injection.

pg-promise update where in custom array

How can the following postgresql query be written using the npm pg-promise package?
update schedule
set student_id = 'a1ef71bc6d02124977d4'
where teacher_id = '6b33092f503a3ddcc34' and (start_day_of_week, start_time) in (VALUES ('M', (cast('17:00:00' as time))), ('T', (cast('19:00:00' as time))));
I didn't see anything in the formatter namespace that can help accomplish this. https://vitaly-t.github.io/pg-promise/formatting.html
I cannot inject the 'cast' piece into the '17:00:00' value without it being considered part of the time string itself.
The first piece of the query is easy. It's the part after VALUES that i can't figure out.
First piece:
var query = `update schedule
set student_id = $1
where teacher_id = $2 and (start_day_of_week, start_time) in (VALUES $3)`;
var inserts = [studentId, teacherId, values];
I'm using this messiness right now for $3 (not working yet), but it completely bypasses all escaping/security built into pg-promise:
const buildPreparedParams = function(arr, colNames){
let newArr = [];
let rowNumber = 0
arr.forEach((row) => {
const rowVal = (rowNumber > 0 ? ', ' : '') +
`('${row.startDayOfWeek}', (cast('${row.startTime}' as time)))`;
newArr.push(rowVal);
});
return newArr;
};
The structure I am trying to convert into this sql query is:
[{
"startTime":"17:00:00",
"startDayOfWeek":"U"
},
{
"startTime":"16:00:00",
"startDayOfWeek":"T"
}]
Use CSV Filter for the last part: IN (VALUES $3:csv).
And to make each item in the array format itself correctly, apply Custom Type Formatting:
const data = [{
startTime: '17:00:00',
startDayOfWeek: 'U'
},
{
startTime: '16:00:00',
startDayOfWeek: 'T'
}];
const values = data.map(d => ({
toPostgres: () => pgp.as.format('(${startDayOfWeek},(cast(${startTime} as time))', d),
rawType: true
}));
Now passing in values for $3:csv will format your values correctly:
('U',(cast('17:00:00' as time)),('T',(cast('16:00:00' as time))

Zend_Db query and row count without pulling back everything up front

I've created my select:
$select = $zdb->select()
->from(array("b" => "blogs"),
array("id", "active", "updated_by", "title", "synopsis", "create_date", "body"))
->join(array("u" => "users"),
'b.updated_by = u.id',
array("first_name", "last_name"))
->where("u.blogger = ?", 1)
->where("b.publish_date > ?", '2020-01-01')
->where("b.active = ?", 1)
->group("b.id")
->order("b.publish_date DESC")
->limit(5);
and I want to pull the data back a row at a time:
$stmt = $db->query($select);
while ($asset = $stmt->fetch()) {
// do stuff
}
How can I check to make sure that there are rows, without returning the entire resultset?
Using the select you already have, something like that should help you parse every entry
$rows = $zdb->fetchAll($select);
foreach($rows as $row){
...
}
To get the values you just have to do $row['fieldName'] where fieldName is the name of the field in your database