无法转义单引号
[英]Unable to escape single quote
问题描述
I am trying to figure out a way to escape single quotes in my "pre-built" SQL query that I send to a generic functions (all my queries use it).
我试图找出一种方法来在我发送到通用函数的“预建” SQL 查询中转义单引号(我的所有查询都使用它)。
I tried the escape npm plugin, doing it manually, etc.我尝试了逃生 npm 插件,手动执行等。
Here's the bit of code where I build my query and when I input for example "it's", well the dataString bugs out because of the special character:这是我构建查询的部分代码,当我输入例如“it's”时,由于特殊字符,dataString 会出错:
exports.addEntry = (req, res, nomPage, nomTable, data) => {
Object.keys(data).forEach(function (k, id) {
console.log(data[k]);
if (data[k] != null) {
if (id > 0) {
columnString += `,`;
dataString += `,`;
}
columnString += `${[k]}`;
dataString += `'${data[k]}'`;
}
});
try {
if (!data) throw new Error("Input not valid");
if (data) {
var sqlQuery = `INSERT INTO ${nomTable} (${columnString}) VALUES (${dataString})`;
connect.connectDatabase(sqlQuery, (data, err) => {
[...]
The generic function I was talking about earlier is this:我之前谈到的通用 function 是这样的:
var sql = require("mssql");
var config = require("../settings").config;
exports.connectDatabase = function (rawQuery, callback) {
var conn = new sql.ConnectionPool(config);
conn
.connect()
.then(function () {
var req = new sql.Request(conn);
req
.query(rawQuery)
.then(function (recordset) {
callback(recordset.recordset);
})
My plan is having the queries to use only one function, not many functions that does pretty much the same thing.我的计划是让查询只使用一个 function,没有多少功能可以做几乎相同的事情。
Help would be greatly appreciated.帮助将不胜感激。
2 个解决方案
解决方案1
1 2020-05-19 23:50:02
The way you are building up this query is exactly what you don't want to do.您构建此查询的方式正是您不想做的。 It leaves you completely open to SQL injection.它让您对 SQL 注入完全开放。
To avoid this, you need to parameterize your query.为避免这种情况,您需要参数化您的查询。 The added benefit here it will take care of all escaping.这里的额外好处是它将处理所有 escaping。
Here is an example , straight from the MS docs, demonstrating how to perform parameterized queries with the node.js driver for SQL Server.这是一个直接来自 MS 文档的示例,演示了如何使用 SQL 服务器的 node.js 驱动程序执行参数化查询。
Your code, following this paradigm will look something like:遵循此范例的代码将如下所示:
exports.addEntry = (req, res, nomPage, nomTable, data) => {
Object.keys(data).forEach(function (k, id) {
console.log(data[k]);
if (data[k] != null) {
if (id > 0) {
columnString += `,`;
dataString += `,`;
}
columnString += `${[k]}`;
dataString += `@${data[k]}`;
}
});
try {
if (!data) throw new Error("Input not valid");
if (data) {
var sqlQuery = `INSERT INTO ${nomTable} (${columnString}) VALUES (${dataString})`;
connect.connectDatabase(sqlQuery, (data, err) => {
[...]
All that changed was the operating constructing the dataString .所有改变的是构造dataString的操作。
Note, you'll now need to feed parameters into your command execution to replace the data you were embedding before.
解决方案2
0 2020-05-20 00:02:19
A few ways to do this: 1 - replacing the colons for square brackets which will create an array of string values then you just have to worry about sorting thru the array length, this will increase your processing time but if your app is not too big it should not make a big difference.有几种方法可以做到这一点: 1 - 将冒号替换为方括号,这将创建一个字符串值数组,然后您只需要担心通过数组长度进行排序,这会增加您的处理时间,但如果您的应用程序不是太大它不应该有很大的不同。
2 - Use \' to escape single quotes in strings or \" to escape double quotes. 2 - 使用\'转义字符串中的单引号或使用\"转义双引号。
Let me know if that helped as this is a quick answer.让我知道这是否有帮助,因为这是一个快速的答案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.