问题
This probably has a really easy answer but I'm not seeing it.
I want to do a raw query using Sequelize:
var sequelize = require('sequelize');
sequelize
.query("LOAD DATA LOCAL INFILE :file
INTO TABLE :table
FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
null,
{raw:true},
{file: datasetPath, table: "dataset_" + datasetName})
The issue is that the replacement string includes single quotes for both the :file replacement (which is good because it's a path) and the :table replacement (which is bad because it's just supposed to be an unadorned table name, and breaks the query). How do I avoid those quotes in the case of the table name replacement?
Thanks.
回答1:
If you're sure that datasetName will never contain any possibility of SQL injections, you can directly insert the table name into the query, like so:
sequelize
.query("LOAD DATA LOCAL INFILE :file
INTO TABLE dataset_" + datasetName + "
FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
null,
{raw:true}, {file: datasetPath})
The comment posted by mwarren doesn't really really work in this case - Sequelize is seeing that it is a string being inserted, and accordingly escapes it.
来源:https://stackoverflow.com/questions/26092913/using-replacements-with-a-raw-sequelize-query-avoiding-single-quotes