[英]Way to remove string concat in Oracle-db (Nodejs)
Is there a way to prevent string concat in the sql query that might cause sql injection?有没有办法防止可能导致sql注入的sql查询中的字符串连接?
The searchParameter and searchString are optional parameters that came from get request. searchParameter 和 searchString 是来自 get 请求的可选参数。 These should add to where clause that will filter the results depending on user input.
这些应该添加到 where 子句中,该子句将根据用户输入过滤结果。
Both searchParameter and searchString must not be null in order to complete the statement. searchParameter 和 searchString 都不能为 null 才能完成语句。
Thank you.谢谢你。
async getDetails(searchParameter, searchString, skip = 0, limit = 25, transactionSeq) {
let filterQuery = "";
if(searchParameter && searchString)
{
filterQuery = "AND " + searchParameter + "=" + "'" + searchString + "'";
}
const sql = `
select * from (
select /*+first_rows(${limit})*/
a.record_sequence,
ROW_NUMBER() OVER (ORDER BY a.record_sequence) RN
from TABLE_NAME a
WHERE TRANSACTION_SEQUENCE = :t
) where RN between :n AND :m ${filterQuery}
ORDER BY RN
`;
const bindVars = {
t: transactionSeq,
n: skip + 1,
m: skip + limit
};
const resultAsync = this._database.simpleExecute(sql, bindVars);
You should allow-list any statement text that you using in string concatenation.您应该允许列出您在字符串连接中使用的任何语句文本。 I presume
searchParameter
matches a column name so check that the value is a column that exists in the table.我假设
searchParameter
与列名匹配,因此请检查该值是否是表中存在的列。 Throw an error if it is not known.如果未知,则抛出错误。 See Binding Column and Table Names in Queries .
请参阅在查询中绑定列名和表名。
Then use a bind variable for user data searchString
.然后为用户数据
searchString
使用绑定变量。 You can add this to bindVars
.您可以将其添加到
bindVars
。
Also you might like to use the newer limit syntax :您也可能想使用 较新的限制语法:
const myoffset = 0; // do not skip any rows (start at row 1)
const mymaxnumrows = 20; // get 20 rows
const result = await connection.execute(
`SELECT last_name
FROM employees
ORDER BY last_name
OFFSET :offset ROWS FETCH NEXT :maxnumrows ROWS ONLY`,
{offset: myoffset, maxnumrows: mymaxnumrows});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.