是否有可能阻止Node.js中的SQL注入(最好使用模块),就像PHP具有保护它们的Prepared Statements一样.
如果是这样,怎么样?如果没有,有哪些例子可能会绕过我提供的代码(见下文).
一些背景:
我正在使用node-mysql模块制作一个带有Node.js + MySql的后端堆栈的Web应用程序.从可用性的角度来看,该模块很棒,但它还没有实现类似于PHP的Prepared Statements(虽然我知道它是在todo上).
根据我的理解,PHP的预处理语句的实现,尤其有助于防止SQL注入.但我担心,我的node.js应用程序可能会受到类似的攻击,即使默认情况下提供了字符串转义(如下面的代码片段).
node-mysql似乎是node.js最受欢迎的mysql连接器,所以我想知道其他人可能正在做什么(如果有的话)来解决这个问题 - 或者甚至是node.js开头的问题(不确定这是怎么回事,因为涉及用户/客户端输入).
我应该暂时切换到node-mysql-native,因为它确实提供了预准备语句吗?我对此犹豫不决,因为它似乎不像node-mysql那样活跃(尽管这可能只是意味着它已经完成).
这是一个用户注册代码片段,它使用sanitizer模块,以及node-mysql准备的类似语句的语法(如上所述,它可以进行字符转义),分别防止跨站点脚本和sql注入:
// Prevent xss
var clean_user = sanitizer.sanitize(username);
// assume password is hashed already
var post = {Username: clean_user, Password: hash};
// This just uses connection.escape() underneath
var query = connection.query('INSERT INTO users SET ?', post,
function(err, results)
{
// Can a Sql injection happen here?
});
我的Node Web应用程序需要持久的MySQL连接.问题是这种情况每天发生几次:
Error: Connection lost: The server closed the connection.
at Protocol.end (/var/www/n/node_modules/mysql/lib/protocol/Protocol.js:73:13)
at Socket.onend (stream.js:79:10)
at Socket.EventEmitter.emit (events.js:117:20)
at _stream_readable.js:895:16
at process._tickCallback (node.js:415:13)
error: Forever detected script exited with code: 8
error: Forever restarting script for 2 time
info: socket.io started
这是我的连接代码:
// Yes I know multipleStatements can be dangerous in the wrong hands.
var sql = mysql.createConnection({
host: 'localhost',
user: 'my_username',
password: 'my_password',
database: 'my_database',
multipleStatements: true
});
sql.connect();
function handleDisconnect(connection) {
connection.on('error', function(err) {
if (!err.fatal) { …我试图找出在我的express.js路由之间传递mysql连接(使用node-mysql)的最佳方法.我正在动态添加每个路由(在路由中使用for each文件循环),这意味着我不能只将连接传递给需要它的路由.我要么将它传递给每条路线,要么根本不传递.我不喜欢将它传递给那些不需要它的想法所以我创建了一个dbConnection.js,路由可以根据需要单独导入.问题是我不认为我正确地做到了.截至目前,我的dbConnection.js包含:
var mysql = require('mysql');
var db = null;
module.exports = function () {
if(!db) {
db = mysql.createConnection({
socketPath: '/tmp/mysql.sock',
user: '*********',
password: '*********',
database: '**********'
});
}
return db;
};
我使用以下方法将其导入每条路线:
var db = require('../dbConnection.js');
var connection = new db();
但我想这样做:
var connection = require('../dbConnection.js');
然而,当我这样尝试时,我得到一个错误,当我尝试进行查询时,连接没有方法'查询'.
如何在node-mysql中转义MySQL LIKE语句?
有点像
"SELECT * FROM card WHERE name LIKE '%" + connection.escape(req.body.search) + "%'"
结果是
'SELECT * FROM card WHERE name LIKE \'%\'hello\'%\''
这是语法错误.如果我使用替代语法
connection.query("SELECT * FROM card WHERE name LIKE '%?%'", req.body.search, function () {});
导致类似的语法错误.我也试过了
connection.query("SELECT * FROM card WHERE name LIKE ?", '%' + req.body.search + '%', function () {});
这最终会逃脱'%'的标志.
我有一个简单的代码,为特定路由提供JSON响应.这是我目前的代码:
var express = require('express')
, async = require('async')
, http = require('http')
, mysql = require('mysql');
var app = express();
var connection = mysql.createConnection({
host: 'localhost',
user: '****',
password: "****",
database: 'restaurants'
});
connection.connect();
// all environments
app.set('port', process.env.PORT || 1235);
app.use(express.static(__dirname + '/public/images'));
app.get('/DescriptionSortedRating/',function(request,response){
var name_of_restaurants;
async.series( [
// Get the first table contents
function ( callback ) {
connection.query('SELECT * FROM restaurants ORDER BY restaurantRATING', function(err, rows, fields)
{
console.log('Connection result error '+err);
name_of_restaurants = rows;
callback(); …我有一个python背景,目前正在迁移到node.js. 由于其异步性质,我有问题调整到node.js.
例如,我试图从MySQL函数返回一个值.
function getLastRecord(name)
{
var connection = getMySQL_connection();
var query_str =
"SELECT name, " +
"FROM records " +
"WHERE (name = ?) " +
"LIMIT 1 ";
var query_var = [name];
var query = connection.query(query_str, query_var, function (err, rows, fields) {
//if (err) throw err;
if (err) {
//throw err;
console.log(err);
logger.info(err);
}
else {
//console.log(rows);
return rows;
}
}); //var query = connection.query(query_str, function (err, rows, fields) {
}
var rows = getLastRecord('name_record');
console.log(rows);
经过一些阅读,我意识到上面的代码无法工作,我需要返回一个由于node.js异步性质的承诺.我不能像python一样编写node.js代码.如何转换getLastRecord() …
我目前正在试验ECMA6课程.我目前的课程如下所示
class Player {
constructor(id) {
this.id = id;
this.cash = 350;
}
get cash() {
return this.cash;
}
set cash(value) { // line 19
this.cash = value; // line 20
}
};
当我现在通过调用创建一个新的对象时,let playerObject = new Player(1);我收到以下错误
...\node_modules\mysql\lib\protocol\Parser.js:82
throw err;
^
RangeError: Maximum call stack size exceeded
at Player.cash (player.js:19:11)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15)
at Player.cash (player.js:20:15) …我试图用node.js插入一些数据.我已经编写了以下代码并通过npm安装了MySQL支持,但我未能成功INSERT INTO.
这是我的代码:
var mysql = require('mysql');
function BD() {
var connection = mysql.createConnection({
user: 'root',
password: '',
host: 'localhost',
port: 3306,
database: 'nodejs'
});
return connection;
}
app.post("/user/create", function(req, res) {
var objBD = BD();
var post = {
username: req.body.username,
password: req.body.password
};
objBD.query('INSERT INTO users VALUES ?', post, function(error) {
if (error) {
console.log(error.message);
} else {
console.log('success');
}
});
});
HTML代码:
<form action="/user/create" method="POST" class="form-horizontal">
<input type="text" id="username_input" name="username">
<input type="text" id="password_input" name="password">
<input …我正在使用node-mysql和大多数查询.工作.一些查询不起作用.我尝试了每个版本的Node(从0.5 ......)到(5.6.0),我也尝试过(4.0)和(4.1),没有任何帮助.
我试图改变,并没有奏效.我试图将sequence文件更改为:this._idleTimeout = -1;并没有帮助.
我读了这些问题和GitHub,没有任何帮助.
我可以尝试自己修复它,但我需要更多信息.超时在哪里,为什么?什么时候?什么是这种消息?超时来自哪里?
MYSQL_ERROR { [Error: Handshake inactivity timeout]
code: 'PROTOCOL_SEQUENCE_TIMEOUT', fatal: true,
timeout: 10000 }
我正在尝试使用节点mysql库重现我在EC2上的node.js应用程序中看到的MySQL错误:
连接丢失:服务器关闭了连接.
我无法在本地重现错误 - 我的代码处理数据库的处理很好 - 它只需每隔几秒重新检查一次,并在重新启动后重新连接到数据库.在EC2上,它发生在太平洋时间凌晨4点左右,但数据库仍然运行正常.
我想
这是我的node.js应用程序中的错误:
2012-10-22T08:45:40.518Z - 错误:uncaughtException date = Mon Oct 22 2012 08:45:40 GMT + 0000(UTC),pid = 14184,uid = 0,gid = 0,cwd =/home/ec2 -user/my-app,execPath =/usr/bin/nodejs,version = v0.6.18,argv = [/ usr/local/bin/node,/ home/ec2-user/my-app/app.js, - -my-app],rss = 15310848,heapTotal = 6311392,heapUsed = 5123292,loadavg = [0.0029296875,0.0146484375,0.04541015625],正常运行时间= 3238343.511107486,trace = [column = 13,file =/home/ec2-user/my- app/node_modules/mysql/lib/protocol/Protocol.js,function = Protocol.end,line = 63,method = end,native = false,column = 10,file = stream.js,function = Socket.onend,line = 80,method = onend,native = false,column = 20,file …
node-mysql ×10
node.js ×10
mysql ×7
javascript ×3
express ×2
asynchronous ×1
promise ×1
sql-insert ×1