es6模板文字是否可以防止sql注入？ [英] Do es6 template literals protect against sql injection?

问题描述

当es6模板文字用于构造查询时，是否可以防止SQL注入？你能提供一些常见攻击的例子以及如何减轻它们吗？

Do es6 template literals, when used to construct queries, protect against SQL injection? Can you provide some examples of common attacks and how they would be mitigated?

更具体地说，我计划使用 mssql 模块。在模板文字部分下的文档中，它说所有值都会针对SQL注入自动清理。这纯粹是因为ES6模板文字的工作原理吗？

More specifically, I plan to use the mssql module in a node project. In their documentation under the template literals section it says "All values are automatically sanitized against SQL injection". Is this true purely because of how ES6 template literals work?

推荐答案

不，ES6模板文字只是构建字符串的另一种方式如果您要使用它们从提供的用户输入构建原始SQL查询而不进行额外的过滤/转义，则不要保护您免受SQL注入：

No, ES6 template literals are just another way to build strings and don't protect you against SQL injections if you were to use them to build raw SQL queries from supplied user input without additional filtering / escaping:

let name = "Robert'; DROP TABLE Students;--"; // user supplied input

let sql = `SELECT * FROM Students WHERE name = '${name}'`; // build query...

console.log(sql); // Injected SQL!

这篇关于es6模板文字是否可以防止sql注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！