如何转义字符串但不影响nodejs mysql js中的LIKE结果
how to escape string but not affect LIKE result in nodejs mysql js
最近我在 nodejs web 应用程序中使用 mysqljs。
我想转义 SQL 中的所有参数以防止注入攻击。
但是在 LIKE 模式中,SQL 会受到转义字符串符号 `
的影响
Here is my query
SELECT event.name, host.name, Guest.name
FROM Event as event
LEFT JOIN Host on Host._id = event.host_id
LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id
LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
WHERE host._id = event.host_id AND event.status IN ('on', 'off') AND
( event.name LIKE "%?%" escape "'" OR host.name LIKE "%?%" OR guest.name LIKE "%?%")
LIMIT ?, ?;
`, [cond, cond, cond, skip, limit])
如果我申请mysql.escape(cond),SQL会是LIKE "%'cond'%".
单引号会影响结果。
如何转义参数并保持原点 SQL?
您可以将 % 添加到字符串的开头和结尾而不是 SQL,您可能也想转义原始字符串。此外,如果您看一下 https://github.com/mysqljs/mysql#escaping-query-values,您可能会注意到您不需要用双引号 (") 将您的值括起来。
假设我们正在尝试实现这样的 SQL 查询:
SELECT event.name, host.name, Guest.name
FROM Event as event
LEFT JOIN Host on Host._id = event.host_id
LEFT JOIN Event_Guest on Event_Guest.event_id = event._id
LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
WHERE host._id = event.host_id
AND event.status IN ('on', 'off')
AND (event.name LIKE '%search%' escape "'" OR host.name LIKE '%search%', OR guest.name LIKE '%search')
LIMIT 10, 0;
此更新代码示例可能适合您:
new_cond = cond.slice(0, 1)+'%'+s.slice(1, cond.length-1)+'%'+cond.slice(cond.length-1);
cond = mysql.escape(new_cond); # Should look like '%term%'
status_in = ['on', 'off'];
escape_char = "'";
connection.query('SELECT event.name, host.name, Guest.name
FROM Event as event
LEFT JOIN Host on Host._id = event.host_id
LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id
LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
WHERE host._id = event.host_id
AND event.status IN (?)
AND ( event.name LIKE ? escape ?
OR host.name LIKE ?
OR guest.name LIKE ?
) LIMIT ?, ?;', [status_in, cond, escape_char, cond, cond, skip, limit])
最近我在 nodejs web 应用程序中使用 mysqljs。
我想转义 SQL 中的所有参数以防止注入攻击。
但是在 LIKE 模式中,SQL 会受到转义字符串符号 `
Here is my query
SELECT event.name, host.name, Guest.name
FROM Event as event
LEFT JOIN Host on Host._id = event.host_id
LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id
LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
WHERE host._id = event.host_id AND event.status IN ('on', 'off') AND
( event.name LIKE "%?%" escape "'" OR host.name LIKE "%?%" OR guest.name LIKE "%?%")
LIMIT ?, ?;
`, [cond, cond, cond, skip, limit])
如果我申请mysql.escape(cond),SQL会是LIKE "%'cond'%".
单引号会影响结果。
如何转义参数并保持原点 SQL?
您可以将 % 添加到字符串的开头和结尾而不是 SQL,您可能也想转义原始字符串。此外,如果您看一下 https://github.com/mysqljs/mysql#escaping-query-values,您可能会注意到您不需要用双引号 (") 将您的值括起来。
假设我们正在尝试实现这样的 SQL 查询:
SELECT event.name, host.name, Guest.name
FROM Event as event
LEFT JOIN Host on Host._id = event.host_id
LEFT JOIN Event_Guest on Event_Guest.event_id = event._id
LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
WHERE host._id = event.host_id
AND event.status IN ('on', 'off')
AND (event.name LIKE '%search%' escape "'" OR host.name LIKE '%search%', OR guest.name LIKE '%search')
LIMIT 10, 0;
此更新代码示例可能适合您:
new_cond = cond.slice(0, 1)+'%'+s.slice(1, cond.length-1)+'%'+cond.slice(cond.length-1);
cond = mysql.escape(new_cond); # Should look like '%term%'
status_in = ['on', 'off'];
escape_char = "'";
connection.query('SELECT event.name, host.name, Guest.name
FROM Event as event
LEFT JOIN Host on Host._id = event.host_id
LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id
LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
WHERE host._id = event.host_id
AND event.status IN (?)
AND ( event.name LIKE ? escape ?
OR host.name LIKE ?
OR guest.name LIKE ?
) LIMIT ?, ?;', [status_in, cond, escape_char, cond, cond, skip, limit])