How can I bind a variable to sequelize literal?
24,844
You can turn defaultingLoans into a function which accepts an amount:
const defaultingLoans = amount => await Loan.findAll({
where: {
[Op.and]: database.sequelize.literal(`EXISTS(SELECT * FROM "Instalments" WHERE "Instalments"."loanId" = "Loan"."id" AND "Instalments"."amount" = ${amount})`)
}
});
usage:
const loans = defaultingLoans(2000);
EDIT: Although it should be noted here that you need to sanitize or quote the amount getting passed into this function to avoid SQL injection attacks.
Related videos on Youtube
27 : 38
#21 Kết Nối Tới MySQL Database với Sequelize - Render Dữ Liệu Ra View | Cấu hình cho Node.JS phần 3
49 : 59
Sequelize ORM Tutorial (all in one video)
05 : 51
JavaScript Template Literals
16 : 34
Optimizing Sequelize with Raw Queries
29 : 17
#20 Tạo tables, thêm dữ liệu database với Sequelize CLI - Cấu hình database cho Node.JS phần 2
22 : 56
Express - Pagination with Sequelize
21 : 12
Sequelize Tutorial: Episode 9 - SQL Injection and Raw Queries
Comments
-
proton almost 2 years
I have this subquery that is used to check the existence of a column related to the source model.
const defaultingLoans = await Loan.findAll({ where: { [Op.and]: database.sequelize.literal('EXISTS(SELECT * FROM "Instalments" WHERE "Instalments"."loanId" = "Loan"."id" AND "Instalments"."status" = 'pending')') } });The query works fine but the value
pendingideally won't be fixed so I'll like to have a variable there that can be used to query for different status.How can I replace the pending string with a variable.
Concatenation didn't work here because Sequelize has a weird way of parsing concatenated SQL queries which result in an error. An example is here https://pastebin.com/u8tr4Xbt and I took a screenshot of the error here
-
Taplar over 5 yearsAre you familiar with concatenating variables to strings?
-
proton over 5 years@Hydrothermal String concatenation doesn't work with sequelize literal
-
Taplar over 5 yearsWhat makes you say that?
literal()is being given a string as an argument. It doesn't matter how it's constructed. Just that it is a valid string.literal('abc')andliteral('ab'+ 'c')would both pass the same string to the method -
proton over 5 yearsThere seems to be a problem with the way sequelize parses concatenated SQL strings, take a look at the query: pastebin.com/u8tr4Xbt The image is the error gotten when I run that: imagebin.ca/v/4RbsQOAPaxvO
-
-
proton over 5 yearsThere seems to be a problem with the way sequelize parses concatenated SQL strings, take a look at the query: pastebin.com/u8tr4Xbt The image is the error gotten when I run that: imagebin.ca/v/4RbsQOAPaxvO
-
ic3b3rg over 5 yearsThat's because
clause1andclause2are strings - you need to include quotes around the concatenated values when using strings -
proton over 5 yearsSomething like this database.sequelize.literal(
EXISTS(SELECT * FROM "Instalments" WHERE "Instalments"."loanId" = "Loan"."id" AND "Instalments"."status" IN ("${clause1}", "${clause2}"))) yeah? Still gives me the same error. -
proton over 5 yearsIf not, can you help share a sample of what you're talking about, thanks.
-
ic3b3rg over 5 yearsI believe sequelize requires single quotes for strings, so try
('${clause1}', '${clause2}') -
Rishabh Jha over 3 yearsThis isn't exactly binding. It'll concatenate the param to the query string.
-
Guido Dizioli over 3 yearsBe careful with SQL Injection in this cases if this is exposed to users. Amount could be'2000; DELETE FROM "Instalments";'
