如何防止nodejs中的sql注入和续集? [英] How to prevent sql-injection in nodejs and sequelize?

问题描述

我想使用 Sequelize 编写自定义查询，并尽可能避免 SQL 注入的潜在问题.因此，我的问题是，是否存在使用 Sequelize 使用插入变量编写自定义查询的安全方法?

I want to write custom queries using Sequelize, and as far as possible avoid potential issues with SQL Injection. My question is therefore if there exists a secure way of writing custom queries with inserted variables using Sequelize?

推荐答案

Sequelize 转义替换，避免了 SQL 注入攻击的核心问题:未转义的字符串.它还支持在使用 SQLite 或 PostgreSQL 时绑定参数，通过将参数单独发送到数据库来进一步降低风险，这里记录:

Sequelize escapes replacements, which avoids the problem at the heart of SQL injection attacks: unescaped strings. It also supports binding parameters when using SQLite or PostgreSQL, which alleviates the risk further by sending the parameters to the database separately to the query, as documented here:

绑定参数就像替换.除了替换被转义并在查询发送到之前通过 sequelize 插入到查询中数据库，而绑定参数被发送到外部的数据库SQL 查询文本.查询可以有绑定参数或替换.

Bind parameters are like replacements. Except replacements are escaped and inserted into the query by sequelize before the query is sent to the database, while bind parameters are sent to the database outside the SQL query text. A query can have either bind parameters or replacements.

只有 SQLite 和 PostgreSQL 支持绑定参数.其他方言将以相同的方式将它们插入到 SQL 查询中替代品.绑定参数由 $1、$2、... 引用(数字)或 $key(字母数字).这与方言无关.

Only SQLite and PostgreSQL support bind parameters. Other dialects will insert them into the SQL query in the same way it is done for replacements. Bind parameters are referred to by either $1, $2, ... (numeric) or $key (alpha-numeric). This is independent of the dialect.

这篇关于如何防止nodejs中的sql注入和续集?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！