您将需要将变量的 值 放入SQL语句中。
这不好:
"SELECt * FROM arrivals WHERe flight = 'flightNo'"
这将起作用,但是从SQL注入攻击中并不安全:
"SELECt * FROM arrivals WHERe flight = '" + flightNo + "'"
为了防止SQL注入,您可以像这样转义您的价值:
"SELECt * FROM arrivals WHERe flight = '" + connection.escape(flightNo) + "'"
但是最好的方法是使用参数替换:
app.get("/arrivals/:flightNo", cors(), function(req, res) { var flightNo = req.params.flightNo; var sql = "SELECt * FROM arrivals WHERe flight = ?"; connection.query(sql, flightNo, function(err, rows, fields) { });});
如果要进行多个替换,请使用数组:
app.get("/arrivals/:flightNo", cors(), function(req, res) { var flightNo = req.params.flightNo; var minSize = req.query.minSize; var sql = "SELECt * FROM arrivals WHERe flight = ? AND size >= ?"; connection.query(sql, [ flightNo, minSize ], function(err, rows, fields) { });});
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)