2

最近我在 nodejs Web 应用程序中使用 mysqljs。
我想转义我在 SQL 中的所有参数以防止注入攻击。
但是在 LIKE 模式中,SQL 会受到转义字符串符号 ` 的影响 

Here is my query
SELECT event.name, host.name, Guest.name
        FROM Event as event
        LEFT JOIN Host on Host._id = event.host_id
        LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id
        LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
        WHERE host._id = event.host_id AND event.status IN ('on', 'off') AND 
        ( event.name LIKE "%?%" escape "'" OR host.name LIKE "%?%" OR guest.name LIKE "%?%")
        LIMIT ?, ?;
    `, [cond, cond, cond, skip, limit])

如果我申请mysql.escape(cond),SQL 将是LIKE "%'cond'%"
单引号会影响结果。

如何转义参数并保留原始 SQL?

4

1 回答 1

1

您可以添加%到字符串的开头和结尾,而不是在 SQL 中,您可能也想转义原始字符串。此外,如果您查看https://github.com/mysqljs/mysql#escaping-query-values,您可能会注意到您不需要将值括在双引号 ( ") 中。

假设我们正在尝试实现这样的 SQL 查询:

SELECT event.name, host.name, Guest.name
FROM Event as event
LEFT JOIN Host on Host._id = event.host_id
LEFT JOIN Event_Guest on Event_Guest.event_id = event._id
LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
WHERE host._id = event.host_id
AND event.status IN ('on', 'off')
AND (event.name LIKE '%search%' escape "'" OR host.name LIKE '%search%', OR guest.name LIKE '%search')
LIMIT 10, 0;

此更新代码示例可能对您有用:

new_cond = cond.slice(0, 1)+'%'+s.slice(1, cond.length-1)+'%'+cond.slice(cond.length-1);
cond = mysql.escape(new_cond);  # Should look like '%term%'
status_in = ['on', 'off'];
escape_char = "'";
connection.query('SELECT event.name, host.name, Guest.name
    FROM Event as event
    LEFT JOIN Host on Host._id = event.host_id
    LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id
    LEFT JOIN Guest on Event_Guest.guest_id = Guest._id
    WHERE host._id = event.host_id 
    AND event.status IN (?)
    AND ( event.name LIKE ? escape ?
          OR host.name LIKE ? 
          OR guest.name LIKE ?
    ) LIMIT ?, ?;', [status_in, cond, escape_char, cond, cond, skip, limit])
于 2017-07-26T05:03:16.490 回答