node.js中的变量查询

Question

I am trying to modify a query on my server side (node.js) that looks like this:

var http = require('http');
var query = "SELECT * FROM Users WHERE Email='Test.User@TestUser.com'";

This is the hardcoded query. I'm trying to do something like this (email being a variable pulled in from an input text area in an HTML doc):

var http = require('http');
var query = "SELECT * FROM Users WHERE Email=" + "'" + email + "'";

I'm using JQuery to handle the request like this from a javascript file:

$.ajax({
        url: "http://127.0.0.1:8000/",
        type: "POST",
        success: function(dataRcvd) {
            alert(dataRcvd);
        }

If I figure out how to do this I can dynamically update the var query with different SQL queries/stored procedures.

Answer 1

// server.js
var http = require('http');
function handler(req, res){
  console.log('Server got '+req.body.email);
  var query = "SELECT * FROM Users WHERE Email=" + "'" + req.body.email + "'";
  someAsyncSQLCall(query, function(rows){
    res.send(200, rows);
  });
};

http.createServer(handler).listen(3000);

//client.js
$.ajax({
        url: "http://127.0.0.1:8000/",
        type: "POST",
        data: {email: 'value' },
        success: function(dataRcvd) {
            alert(dataRcvd);
        }

Answer 2

This is an incredibly bad idea (string concatenation); anyone can post a SQL injection attack in your form and drop your database or do any number of other nefarious things.

I'm not sure what DB you're using, but most of them have a way of doing parameterized queries that sanitize you against these kinds of attacks.

Checkout node-postgres (pg module), which has examples of how to do it if you're using PostgreSQL.