阻止Node.js中的SQL注入 [英] Preventing SQL injection in Node.js

问题描述

是否有可能阻止Node.js中的SQL注入（最好使用模块），就像PHP具有保护它们的Prepared Statements一样。

Is it possible to prevent SQL injections in Node.js (preferably with a module) in the same way that PHP had Prepared Statements that protected against them.

如果又怎样？如果没有，可能会绕过我提供的代码 （见下文）。

If so, how? If not, what are some examples that might bypass the code I've provided (see below).

某些上下文：

我正在使用 node-mysql 模块。从可用性的角度来看，该模块很棒，但它尚未实现类似于PHP的准备好的陈述（虽然我知道它出现在 todo 上） 。

I'm making a web application with a back-end stack consisting of Node.js + MySql using the node-mysql module. From a usability perspective, the module is great, but it has not yet implemented something akin to PHP's Prepared Statements (though I'm aware it is on the todo).

根据我的理解，PHP的预准备语句的实现，除其他外，极大地帮助了预防SQL注入。不过我很担心我的node.js应用程序可能会受到类似的攻击，即使默认提供字符串转义（如下面的代码片段）。

From my understanding, PHP's implementation of prepared statements, among other things, helped greatly in the prevention of SQL injections. I'm worried, though, that my node.js app may be open to similar attacks, even with the string escaping provided by default (as in the code snippet below).

node-mysql似乎是节点最流行的mysql连接器.js，所以我想知道其他人可能正在做什么（如果有的话）来解决这个问题 - 或者甚至是node.js开头的问题（不知道这不会是怎么回事，因为用户/涉及客户端输入。）

node-mysql seems to be the most popular mysql connector for node.js, so I was wondering what other people might be doing (if anything) to account for this issue - or if it is even an issue with node.js to begin with (not sure how this wouldn't be, since user/client-side input is involved).

我应该切换到 node-mysql-native ，因为它确实提供了准备好的语句？我对此犹豫不决，因为它似乎没有像node-mysql（虽然这可能只是意味着它已经完成）。

Should I switch to node-mysql-native for the time being, since it does provide prepared statements? I'm hesitant to do this, because it does not seem to be as active as node-mysql (though that may just mean that it is complete).

这是一段用户注册码，它使用 sanitizer 模块，以及node-mysql准备好的类似语句的语法（正如我上面提到的那样，会进行字符转义），以防止分别跨站点脚本和sql注入：

Here is a snippet of user registration code, which uses the sanitizer module, along with node-mysql's prepared statement-like syntax (which, as I mentioned above, does character escaping), to prevent cross site scripting and sql injections, respectively:

// Prevent xss
var clean_user = sanitizer.sanitize(username);

// assume password is hashed already
var post = {Username: clean_user, Password: hash};

// This just uses connection.escape() underneath
var query = connection.query('INSERT INTO users SET ?', post,
   function(err, results)
   {
       // Can a Sql injection happen here?
   });

推荐答案

node-mysql 库在您正在使用时自动执行转义。请参见 https://github.com/felixge/node-mysql#escaping-query-价值

The node-mysql library automatically performs escaping when used as you are already doing. See https://github.com/felixge/node-mysql#escaping-query-values

这篇关于阻止Node.js中的SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！