正确插入表名 [英] Proper insertion of table name
问题描述
如果可以动态确定表名并仍然防止SQL注入攻击,该如何正确提供表名?我正在使用 node-postgres .
How does one correctly provide the table name if the name can be dynamically determined and still prevent SQL injection attacks? I am using node-postgres.
例如:
以下作品有效,但我认为这是不安全的:
The following works but I believe is insecure:
dbclient.query("INSERT INTO " + table_name + " VALUES ($1, $2, $3)", [value_a, value_b, value_c])`
我想等效地(但不起作用)是:
What I would like equivalently (but does not work) is:
dbclient.query("INSERT INTO $1 VALUES ($2, $3, $4)", [table_name, value_a, value_b, value_c])`
推荐答案
任何好的库都应为SQL名称提供适当的转义,包括:
Any good library should provide proper escaping for SQL names, which include:
- 模式名称
- 表名
- 列名
例如,在 pg-promise 中,您将像这样使用它:>
For example, within pg-promise you would use it like this:
db.query("INSERT INTO $1~ VALUES ($2, $3, $4)", [table_name, value_a, value_b, value_c])
即您可以通过在变量后加上〜
来正确地转义表名,这反过来又可以防止SQL注入.
i.e. you get your table name properly escaped by appending the variable with ~
, which in turn makes it safe from SQL injection.
从此处对库执行的表名进行简单的转义:
From here, a simple escaping for table names executed by the library:
return '"' + name.replace(/"/g, '""') + '"';
另请参见: SQL名称
这篇关于正确插入表名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!