安全性測(cè)試 - nodejs中如何防m(xù)ySQL注入
問(wèn)題描述
如題,如能有具體示例或demo鏈接感激不盡
問(wèn)題解答
回答1:使用escape()對(duì)傳入?yún)?shù)進(jìn)行編碼var userId = 1, name = ’test’;var query = connection.query(’SELECT * FROM users WHERE id = ’ + connection.escape(userId) + ’, name = ’ + connection.escape(name), function(err, results) { // ...});console.log(query.sql); // SELECT * FROM users WHERE id = 1, name = ’test’使用connection.query()的查詢(xún)參數(shù)占位符
var userId = 1, name = ’test’;var query = connection.query(’SELECT * FROM users WHERE id = ?, name = ?’, [userId, name], function(err, results) { // ...});console.log(query.sql); // SELECT * FROM users WHERE id = 1, name = ’test’使用escapeId()編碼SQL查詢(xún)標(biāo)識(shí)符
var sorter = ’date’;var sql = ’SELECT * FROM posts ORDER BY ’ + connection.escapeId(sorter);connection.query(sql, function(err, results) { // ...});使用mysql.format()轉(zhuǎn)義參數(shù)
var userId = 1;var sql = 'SELECT * FROM ?? WHERE ?? = ?';var inserts = [’users’, ’id’, userId];sql = mysql.format(sql, inserts); // SELECT * FROM users WHERE id = 1
Ref: http://www.dengzhr.com/node-j...
PS: Google第一頁(yè)就是答案
相關(guān)文章:
1. angular.js - angularjs如何傳遞id給另一個(gè)視圖 根據(jù)id獲取json數(shù)據(jù)?2. java - HashSet<int> 為何有錯(cuò)誤?3. mysql - 記得以前在哪里看過(guò)一個(gè)估算時(shí)間的網(wǎng)站4. 使用text-shadow可以給圖片加陰影嗎?5. docker start -a dockername 老是卡住,什么情況?6. nginx啟用gzip壓縮后,文件尺寸無(wú)變化.7. 在windows下安裝docker Toolbox 啟動(dòng)Docker Quickstart Terminal 失敗!8. 數(shù)據(jù)庫(kù)無(wú)法進(jìn)入9. docker images顯示的鏡像過(guò)多,狗眼被亮瞎了,怎么辦?10. boot2docker無(wú)法啟動(dòng)
網(wǎng)公網(wǎng)安備