admin管理员组文章数量:1406060
I have a JSONB column in my table which I update with JSON from a 3rd party source. The problem I have is that sometimes, these fields can contain ' marks which break the query as below:
/?rdbms=postgres_11&fiddle=57dc7401fc4de72137de367da7192092
I'm using Node to connect to my Postgres instance using Sequelize. I know I can escape the characters and enable standard_conforming_strings on my instance, but i'd not do this. Like below:
const obj = encodeURIComponent(JSON.stringify(data.data));
const query = `UPDATE fb_designs SET items = jsonb_set(items, '{listings, 0}', '${obj}') WHERE id = '${data.did}'`;
return sequelize.query(query, { type: sequelize.QueryTypes.SELECT})
Is there a way using either Javascript, Sequelize or directly in Postgres that I can double up these ' to easily escape them?
I have a JSONB column in my table which I update with JSON from a 3rd party source. The problem I have is that sometimes, these fields can contain ' marks which break the query as below:
https://dbfiddle.uk/?rdbms=postgres_11&fiddle=57dc7401fc4de72137de367da7192092
I'm using Node to connect to my Postgres instance using Sequelize. I know I can escape the characters and enable standard_conforming_strings on my instance, but i'd not do this. Like below:
const obj = encodeURIComponent(JSON.stringify(data.data));
const query = `UPDATE fb_designs SET items = jsonb_set(items, '{listings, 0}', '${obj}') WHERE id = '${data.did}'`;
return sequelize.query(query, { type: sequelize.QueryTypes.SELECT})
Is there a way using either Javascript, Sequelize or directly in Postgres that I can double up these ' to easily escape them?
- You're inlining arguments in SQL query which is a bad practice. I don't know anything about Sequelize but all database libraries supports providing arguments apart in an array. In the query you should only use placeholders such as '$1', '$2', etc... (syntax vary depending on actual database). This not only provides raw data to the query but also prevents SQL injection attacks. – bitifet Commented Sep 27, 2019 at 10:31
- NOTE: If identifying arguments by its position in an array bothers you, take a look at SQLTT: npmjs./package/sqltt – bitifet Commented Sep 27, 2019 at 10:34
1 Answer
Reset to default 8The single quotes conflict with the opening/closing quotes of the string. One way around this is to use dollar quoting instead:
'{"your":"you're"}' -> $${"your":"you're"}$$
Using your example: https://dbfiddle.uk/?rdbms=postgres_11&fiddle=468b83fca5d2d8d3a94d5b16a6b1772f
From your JS code:
const query = `UPDATE fb_designs SET items = jsonb_set(items, '{listings, 0}', $$${obj}$$) WHERE id = '${data.did}'`;
Everything inside those dollar quotes will be taken verbatim. You can also put text between the dollars to they don't conflict with other dollar quotes surrounding them (if they exist) or double dollars in your json, e.g. $my_json${"a":1}$my_json$
本文标签: javascriptEscaping generated single quotes in Postgres JSONBStack Overflow
版权声明:本文标题:javascript - Escaping generated single quotes in Postgres JSONB - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744960980a2634652.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论