So my probleme is that i'm getting this error: Uncaught Error: SQLITE_ERROR: near "@gmail": syntax error
while i'm INSERTING or UPDATING in the database.
I'm working with sqlite3 and electron. Here is my code:
function addPatient(){
var req = 'INSERT INTO patient(nom, prenom, age, tel, mail, sexe, paiement) VALUES('+li_nom.value+','+li_prenom.value+','+li_age.value+','+li_tel.value+','+li_mail.value+','+li_sexe.value+','+li_paiement.value+')';
db.run(req);
event.preventDefault();
console.log("done");
}
PS: i'm getting the data from form value.
If you need more information do not hesitate to ask.
Thanks for help :)
You are creating your SQL query via string concatenation, which leaves it vulnerable to SQL injection and otherwise malformed queries.
Your query basically ends up looking like this when the database receives it:
INSERT INTO patient(nom, prenom, age, tel, mail, sexe, paiement) VALUES(name,prename,25,555555555,example@gmail.com,male,500)
The issues here:
@ symbol is used for variables (when not part of a true string, or not quoted)You need to use parameterized queries. This will resolve both of these issues and protect you against pretty much any SQL injection. You create placeholders in the query, then set programmatically populate them via the library.