如何防止Node.js中的SQL注入和续集? [英] How to prevent sql-injection in nodejs and sequelize?

问题描述

我想使用Sequelize编写自定义查询，并尽可能避免SQL注入的潜在问题.因此，我的问题是，是否存在使用Sequelize使用插入的变量编写自定义查询的安全方法?

I want to write custom queries using Sequelize, and as far as possible avoid potential issues with SQL Injection. My question is therefore if there exists a secure way of writing custom queries with inserted variables using Sequelize?

推荐答案

Sequelize进行转义替换，从而避免了SQL注入攻击的核心问题:未转义的字符串.当使用SQLite或PostgreSQL时，它还支持绑定参数，通过将参数分别发送到数据库

Sequelize escapes replacements, which avoids the problem at the heart of SQL injection attacks: unescaped strings. It also supports binding parameters when using SQLite or PostgreSQL, which alleviates the risk further by sending the parameters to the database separately to the query, as documented here:

绑定参数就像替换参数.除了替代品被逃脱 并在查询发送到之前通过序列化插入查询中 数据库，同时将绑定参数发送到外部数据库 SQL查询文本.查询可以具有绑定参数或 替代品.

Bind parameters are like replacements. Except replacements are escaped and inserted into the query by sequelize before the query is sent to the database, while bind parameters are sent to the database outside the SQL query text. A query can have either bind parameters or replacements.

仅SQLite和PostgreSQL支持绑定参数.其他方言 会将它们插入SQL查询中的方式与之相同. 替代品.绑定参数由$ 1，$ 2，...引用. (数字)或$ key(字母数字).这与方言无关.

Only SQLite and PostgreSQL support bind parameters. Other dialects will insert them into the SQL query in the same way it is done for replacements. Bind parameters are referred to by either $1, $2, ... (numeric) or $key (alpha-numeric). This is independent of the dialect.

这篇关于如何防止Node.js中的SQL注入和续集?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！