node.js的乏味模块是否具有防止sql注入的功能?
[英]Does tedious module for node.js have any function for preventing sql injection?
问题描述
For your information, I'm working on preventing sql injection using Microsoft Azure & tedious module. 
供您参考,我正在使用Microsoft Azure和繁琐的模块来防止sql注入。
I saw a function called "escape" on mysql module, but I'm not sure if the similar function is in tedious module or not. 我在mysql模块上看到了一个名为“转义”的函数,但是我不确定类似的函数是否在乏味的模块中。
1 个解决方案
解决方案1
0 2018-05-12 08:05:01
Escaping is an ancient technique that's annoying to use and also error prone (it's somewhat easy to forget a variable or escape it twice—and it's not uncommon to see the wrong escaping function being used). 转义是一种古老的技术,使用起来很烦人,而且容易出错(忘记一个变量或两次对其进行转义有些容易,而且看到使用了错误的转义功能也很常见)。 Any decent database library written in the last decade must support prepared statements or be dropped. 在过去的十年中编写的任何体面的数据库库都必须支持准备好的语句或被删除。
The side menu of the Tedious site features a prominent Using Parameters first level entry that covers this: Tedious站点的侧菜单具有突出显示的“ 使用参数”第一级条目,其中包括:
here is support for parameterised statements, and using parameters when calling procedures.
Input parameters are added to a Request using
Request.addParameter(), and output parameters are added usingRequest.addOutputParameter()Parameter namesRequest.addParameter()并使用被加入输出参数Request.addOutputParameter()参数名In T-SQL, parameter names are identified by being prefixed with an '@'.
select id from address where first_name = @name and age > @ageThe parameters names used in this API do not include the '@'.
request.addParameter('name', ..., ...); request.addParameter('age', ..., ...);
They could have provided a less verbose syntax but it should get the job done. 他们本可以提供不太冗长的语法,但是应该可以完成工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.