在 node-mysql 中防止 SQL 注入的最佳实践是什么? [英] What are Best Practices for preventing SQL injection in node-mysql?

问题描述

已经有一些关于这个话题的讨论(例如 防止 Node.js 中的 SQL 注入 )但实际上没有明确的清晰度或深入的讨论，更不用说任何地方的良好文档了.node-mysql 文档讨论了 SQL 注入的预防和一些转义函数.但是，尚不清楚这些函数如何防止 SQL 注入.手册说字符串已安全转义".仅此而已……这仅限于转义某些字符吗?

There has been some discussion on this topic (e.g. Preventing SQL injection in Node.js )but really no clear-cut clarity or a deep discussion, let alone good documentation anywhere. The node-mysql docs discuss prevention of SQL injection and some escape functions. However, it is unclear how these functions prevent SQL injection. The manual says "Strings are safely escaped." Nothing more... Is that limited to escaping some characters only?

node-mysql 中似乎还有其他等价物用于与 connection.escape 和 pool.escape 中相同的功能，再次强调这些功能用于防止 SQL 注入.

There seem to be other equivalents in node-mysql for the same function as in connection.escape and pool.escape with an emphasis again that these functions are used to prevent SQL injection.

node-mysql 中似乎也不支持真正的准备语句.计划和文件对此再次不清楚.Node-mysql 显然是 node.js 环境中一个非常流行的模块，至少在我有限的经验中相当稳定.在 node-mysql 中防止 SQL 注入的最佳实践是什么?

There also does not seem to be support for a true prepare statement in node-mysql. The plans and documentation are again unclear on this. Node-mysql is clearly a very popular module in the node.js environment and fairly stable at least in the limited experience I had with it. What are the Best Practices for preventing SQL injection in node-mysql?

推荐答案

sequelize 仍然存在漏洞

still sequelize is vulnerable

db.query('SELECT Desc FROM Items WHERE Username IN (:names)', {
  replacements: {
    names: ["Bobby", "'); DELETE FROM Items WHERE 1=1; --')"]
  }
});

这篇关于在 node-mysql 中防止 SQL 注入的最佳实践是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！