SQL 字符串中替换的正确语法是什么

Question

I am attempting to do a basic search in my sqlite3 database with this JavaScript:

function search(query) {
  let sql = `SELECT * from tracks WHERE title LIKE '%${query}%'`

  db.sqlite.all(sql, [], (err, rows) => {
    console.log(rows)
  })
}

This works but is vulnerable to SQL injection. I am trying to get the sqlite replacements parameter to work but I cannot get the syntax right. Sqlite doesn't want to replace anything within the string literal.

// throws SQLITE_RANGE error
let sql = `SELECT * from tracks WHERE title LIKE '%$query%'`
db.sqlite.all(sql, {$query: query}, (err, rows) => {})

What is the correct way to write this so that it's not vulernable to SQL injection?

Answer 1

What are these || for? SQLite specialty? Yes, it is a way to concatenate strings in SQL - I do not know any other DBMS that uses that. So this solution only works for SQLite, but AFAIK not for MySql, Oracle, Transact SQL, ... it is not standard SQL.

I think it is hard to know this trick with ||. There is a IMHO more understandable approach, that every developer easy understands:

I would first change the value of the variable, then overgive it as a parameter to the query, like that the code should be readable - forgive me any oversight, because I am not a Javascript crack:

function search(query) {
  let likePattern = `%${query}%` // or in the very old days = '%' + query + '%'
  let sql = `SELECT * from tracks WHERE title LIKE $likePattern`

  db.sqlite.all(sql, {$likePattern: likePattern}, (err, rows) => {})
}

PS: Someone had this idea already too in the comments of the question, so if anyone upvotes this, then upvote the others comment too.

Answer 2

I figured it out

let sql = `SELECT * from tracks WHERE title LIKE '%' || $query || '%'`