{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 小情绪 Triste * 的问题《Best practice for creating SQL SELECT queries whil》','https://www.manongdao.com/q-930201.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm currently creating a NodeJS website using PostgreSQL via pg-promise.
I have a page with an HTML form with checkboxes to select variables to search the database for using various fields. These are then fed into a SQL query with pg-promise and the intended behaviour is the results are passed back to the user in JSON format.
A very minimal working example would be as follows.
HTML form:
<form action="/search" method="get">
<fieldset>
<legend>Variable A</legend>
<div>
<input type="checkbox" name="variable_a" value="apple">
<label for="variable_a">
Apple
</label>
</div>
<div>
<input type="checkbox" name="variable_a" value="orange">
<label for="variable_a">
Orange
</label>
</div>
</fieldset>
<fieldset>
<legend>Variable B</legend>
<div>
<input type="checkbox" name="variable_b" value="pear">
<label for="variable_b">
Pear
</label>
</div>
<div>
<input type="checkbox" name="variable_b" value="banana">
<label for="variable_b">
Banana
</label>
</div>
</fieldset>
<button type="submit">Search</button>
</form>
From this an URL like the following is created /search?variable_b=pear&variable_b=banana
The problem I have is when trying to create a 'catch all' SQL SELECT query to handle this search.
This is the SQL query I have created in pg-promise:
router.get('/search', function(req, res, next) {
db.any(`SELECT * FROM food
WHERE variable_a IN ($1:csv)
AND variable_b IN ($2:csv)`, [req.query.variable_a, req.query.variable_b])
.then(result=>res.send(result))
.catch();
});
This fails given the /search?variable_b=pear&variable_b=banana URL, but works with say the following URL /search?variable_a=apple&variable_b=banana.
This is undoubtedly because in the example above req.query.variable_a is undefined as no checkboxes were selected and the SQL query falls over with IN (). I should perhaps add, if variable_a or variable_b isn't defined by a checkbox, in this case the intended behaviour is there is no filter on said columns.
My question is what is the best way of handling this?
I feel like I could probably create a lot of if/else logic to handle potential undefined req.query variables and resulting SQL queries but this seems messy and not elegant.
This issue is the same as was logged here: https://github.com/vitaly-t/pg-promise/issues/442
Basically, pg-promise query formatting engine generates SQL according to your formatting parameters. It does NOT do any syntax verification on your resulting SQL.
You are generating
IN (), which is invalid SQL, so you get the error.You should check for the presence of the variable, and not even try to generate such a query when the variable is missing, because your query wouldn't be able to yield anything good then.
Example:
There can be other solutions, as pg-promise is very generic, it does not limit you the way you approach this.
For example, instead of this:
you can do this:
which will produce the same result. Whichever you like! ;)
first - your input will keep only last selected value
or you should use name with [] to inform that its an array
second - you can use ? statement just inside params or var
And inside your SQL - if you didnt send any of vars - you want get result cause its strict AND statement - var undefined - the query return false