[英]How come I'm getting a syntax error in my SQL code?
I'm getting an error on the line that says 我在一行上看到一个错误
const INSERT_PRODUCTS_QUERY = 'INSERT INTO products(name, price) VALUES('${name}',${price})';
I know the error emanates from the single quotes in '${name}'
but I also tried removing the single quotes in an attempt to get rid of this error and still get an error that says: 我知道错误是由'${name}'
的单引号引起的,但我也尝试删除单引号,以消除该错误并仍然显示以下错误:
{
"code": "ER_PARSE_ERROR",
"errno": 1064,
"sqlMessage": "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '{name}, ${price})' at line 1",
"sqlState": "42000",
"index": 0,
"sql": "INSERT INTO products(name, price) VALUES(${name}, ${price})"
}
Here's my code: 这是我的代码:
const express = require('express');
const cors = require('cors');
const mysql = require('mysql');
const app = express();
const SELECT_ALL_PRODUCTS_QUERY = 'SELECT * FROM products';
const connection = mysql.createConnection({
host: 'localhost',
user: 'root',
password: 'password',
database: 'react_sql'
});
connection.connect(err => {
if(err) {
return err;
}
});
app.use(cors());
app.get('/', (req, res) => {
res.send('go to /products to see products')
});
app.get('/products/add', (req, res) => {
const { name, price } = req.query;
const INSERT_PRODUCTS_QUERY = 'INSERT INTO products(name, price) VALUES('${name}',${price})';
connection.query(INSERT_PRODUCTS_QUERY, (err, results) => {
if(err) {
return res.send(err);
} else {
return res.send('successfully added products');
}
});
})
app.get('/products', (req, res) => {
connection.query(SELECT_ALL_PRODUCTS_QUERY, (err, results) => {
if(err) {
return res.send(err)
} else {
return res.json({
data: results
})
}
});
});
app.listen(4000, () => {
console.log("listening port 4000");
});
I don't know so much about SQL and its queries, so for this subject (strings, security, etc) listen to other people. 我对SQL及其查询的了解不多,因此对于这个主题(字符串,安全性等),请听别人讲。
As you can see in the comments this opens the code to SQL Injections, better avoid to using it. 正如您在注释中看到的那样,这会将代码打开到SQL Injections,最好避免使用它。
Thanks, @Keith. 谢谢,@基思。
But if you want to use variables in your strings either you need to combine different string pieces or you should use template literals . 但是,如果要在字符串中使用变量,则需要组合不同的字符串或使用模板文字 。
PS: If you still really, really want to use template literals, you can check this node package which is sql-template-strings
for NodeJS. PS:如果您仍然非常想使用模板文字,则可以检查此节点包 ,它是sql-template-strings
。
Notice the backticks: `` 注意反引号:
const name = "foo"; const price = 100; const INSERT_PRODUCTS_QUERY = `INSERT INTO products(name, price) VALUES('${name}',${price})`; console.log( INSERT_PRODUCTS_QUERY );
SQL parameters in MySQL are not only a convenient way of passing parameters to query's, there also a must if you don't want to open your site to SQL Injection problems. MySQL中的SQL参数不仅是将参数传递给查询的一种便捷方法,而且如果您不想因SQL注入问题而打开自己的站点,这也是必须的。
The changes you need to make are very minimal.. 您需要进行的更改非常少。
First change your query to -> 首先将查询更改为->
const INSERT_PRODUCTS_QUERY =
'INSERT INTO products(name, price) VALUES(?, ?)'
And when you use this query pass the parameters as the second parameter. 当您使用此查询时,将参数作为第二个参数传递。
connection.query(SELECT_ALL_PRODUCTS_QUERY,
[name, price],
(err, results) => {
Template literals are not surrounded by simple quotes but by back-ticks "`" 模板文字不是用简单的引号引起来,而是用反引号“`”引起来
It should become : 它应该变成:
const INSERT_PRODUCTS_QUERY = `INSERT INTO products(name, price) VALUES('${name}',${price})`
You are not providing literals correctly, modify your query as following, this is PHP representation you can change accordingly. 您没有正确提供文字,请按以下方式修改查询,这是可以相应更改的PHP表示形式。
INSERT INTO products(name, price) VALUES('".${name}."','".${price}."');
Single quote for literal value is ambiguous with language single quote, which breaks query syntax. 文字值的单引号与语言单引号是不明确的,这破坏了查询语法。
This is not best way to achieve this, as it opens your query to SQL Injection. 这不是实现此目的的最佳方法,因为它打开了对SQL Injection的查询。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.