使用nodejs 7.3.0时无法使用反引号 [英] cannot use backtick when using nodejs 7.3.0

问题描述

我正在尝试运行一个简单的网站，并遇到以下反引号错误

I'm trying to run a simple website, and encountered an following backtick error

  `INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
   ^^^^^^
SyntaxError: Unexpected identifier
    at Object.exports.runInThisContext (vm.js:78:16)
    at Module._compile (module.js:543:28)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:488:32)
    at tryModuleLoad (module.js:447:12)
    at Function.Module._load (module.js:439:3)
    at Module.runMain (module.js:605:10)
    at run (bootstrap_node.js:420:7)
    at startup (bootstrap_node.js:139:9)
    at bootstrap_node.js:535:3

这是代码

app.put('/problems', function(req, res) {
  pool.getConnection(function(err, connection) {
    var p_list = new Array(4);
    var qid = mysql.escape(req.body.qid);
    var uid = mysql.escape(req.body.uid);
    var question = mysql.escape(req.body.question);
    var difficulty = mysql.escape(req.body.difficulty);
    var cid = mysql.escape(req.body.cid);
    var choices = req.body.choices;
    var answer = mysql.escape(req.body.answer);
    var explanation = mysql.escape(req.body.explanation);
    var qid_choice = ``;
    choices.forEach( choice => {
      choice = mysql.escape(choice);
      qid_choice += "("+qid+", "+choice+"),";
    } );
    qid_choice = qid_choice.slice(0,-1);

    var queries = [
      `INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
      `INSERT INTO questionInfo(qid) VALUES(${qid})`,
      `INSERT INTO choices(qid, choice) VALUES ${qid_choice}`,
      `INSERT INTO solutions(qid, answer, explanation) VALUES(${qid},${answer},${explanation})`
    ];
    for (let i=0; i<4; i++) {
      p_list[i] = new Promise(function(resolve, reject) {
        connection.query(
          queries[i],
          err => {
            if (err) reject(err);
            else resolve();
          }
        );
      });
    }

    Promise.all(p_list).then(function() {
      connection.release();
      console.log(`[200] ${req.method} to ${req.url}`);
      res.end();
    }, function(err) {
      connection.release();
      console.log(`[500] ${req.method} to ${req.url} because ${err}`);
    })
  });
});

我正在使用节点版本7.3.0

I'm using node version 7.3.0

我不知道为什么会发生此错误...太令人沮丧了

I have no idea why this error occurred... It's too frustrating

感谢您阅读:)

推荐答案

SQL注入警报

您的整个代码是一个很大的 SQL注入漏洞，正在被利用.如今很少有可利用的SQL注入漏洞，但是在这里每个参数都有它.

SQL Injection Alert

Your entire code is a one big SQL injection vulnerability waiting be exploited. It's pretty rare to have exploitable SQL injection vulnerability this days but here you have it in every parameter.

connection.query(
    `INSERT INTO questionInfo(qid) VALUES(${qid})`,
    err => {
        // ...
    }
);

或:

connection.query(
    'INSERT INTO questionInfo(qid) VALUES(' + qid + ')',
    err => {
        // ...
    }
);

总是这样做

connection.query(
    'INSERT INTO questionInfo(qid) VALUES(?)',
    qid,
    err => {
        // ...
    }
);

您的问题

看着您的问题，似乎是您的反引号不平衡或您在Node中发现了一个错误.很难说出更多的信息，因为您没有发布重现您问题的最小示例，而是发布了路由处理程序的不完整部分，如果不删除该部分，就无法运行.

Your problem

Looking at your problem it seems that either you have unbalanced backticks or you found a bug in Node. It's hard to tell anything more because instead of posting a minimal example that reproduces your problem, you posted an incomplete part of your route handler that cannot be even run without the parts that you removed.

但是您应该对反引号出现问题表示感谢，因为如果没有反引号，您将什至不知道您的代码有多不安全.我什至不记得我上次看到带有SQL注入漏洞的代码了.自从我上次将某人介绍给该漫画以来已经有好几年了:

But you should be grateful that you got the problem with backticks because without it you would never even know how insecure your code is. I can't even remember when I last saw a code with SQL injection vulnerability. It's been years since I last referred someone to this comic strip:

请阅读:

• https://en.wikipedia.org/wiki/SQL_injection
• http://www.beyondsecurity.com/about-sql-injection.html
• http://projects.webappsec.org/w/page/13246963 /SQL％20Injection
• http://bobby-tables.com/

• https://en.wikipedia.org/wiki/SQL_injection
• http://www.beyondsecurity.com/about-sql-injection.html
• http://projects.webappsec.org/w/page/13246963/SQL%20Injection
• http://bobby-tables.com/

请记住，切勿使用反引号将未经处理的数据插入任何字符串，尤其是SQL.

And remember to never use backticks to insert unsanitized data to any string, especially SQL.

这篇关于使用nodejs 7.3.0时无法使用反引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！