Gle*_*Man 4 sql node.js node-mysql
我想编写一个包含NodeJS变量的SQL查询.当我这样做时,它给我一个'undefined'的错误.
我希望下面的SQL查询识别flightNo变量.如何将NodeJS变量输入到SQL查询中?它周围是否需要特殊字符$或者?.
app.get("/arrivals/:flightNo?", cors(), function(req,res){
var flightNo = req.params.flightNo;
connection.query("SELECT * FROM arrivals WHERE flight = 'flightNo'", function(err, rows, fields) {
Dav*_*ave 12
您需要将变量的值放入SQL语句中.
这不好:
"SELECT * FROM arrivals WHERE flight = 'flightNo'"
这样可行,但SQL注入攻击不安全:
"SELECT * FROM arrivals WHERE flight = '" + flightNo + "'"
为了安全地从SQL注入,你可以像这样逃避你的价值:
"SELECT * FROM arrivals WHERE flight = '" + connection.escape(flightNo) + "'"
但最好的方法是使用参数替换:
app.get("/arrivals/:flightNo", cors(), function(req, res) {
var flightNo = req.params.flightNo;
var sql = "SELECT * FROM arrivals WHERE flight = ?";
connection.query(sql, flightNo, function(err, rows, fields) {
});
});
如果要进行多次替换,请使用数组:
app.get("/arrivals/:flightNo", cors(), function(req, res) {
var flightNo = req.params.flightNo;
var minSize = req.query.minSize;
var sql = "SELECT * FROM arrivals WHERE flight = ? AND size >= ?";
connection.query(sql, [ flightNo, minSize ], function(err, rows, fields) {
});
});
| 归档时间: |
|
| 查看次数: |
19323 次 |
| 最近记录: |