如果在 JavaScript 中的字符串中大小写带有引号内的变量或 NULL?
[英]If case within string in JavaScript with variable either inside quotation marks or NULL?
问题描述
This question is difficult to title but easy to show.
此题难出题,易出题。 I would like to add multiple sets of values to an SQL insert such as我想将多组值添加到 SQL 插入,例如
var sqlInsertString = `INSERT INTO events (url) VALUES`
var sqlInsertValuesString = `(`('${event.url ? event.url : null}'), null, 1, 2, 3)`
pg_client.query(sqlInsertString + sqlInsertValuesString)
this happens in a loop and thus the separation of insert string and values string.这发生在一个循环中,因此插入字符串和值字符串的分离。 Now, what I want to happen is that if event.url contains a url it should insert the url as 'https://www.example.com' (with quotation marks) but if event.url is empty, it should insert null.现在,我想要发生的是,如果 event.url 包含 url,它应该将 url 插入为'https://www.example.com' (带引号),但如果 event.url 为空,则应该插入 null .
My code above will insert 'null' (with quotation marks) instead of an actual null in the database.我上面的代码将在数据库中插入“null”(带引号)而不是实际的 null。 Removing the quotation marks will cause errors because of the ':' in the url.去掉引号会因为url中的':'而出错。
How do I, in sqlInsertValuesString either provide a valid url string OR a 'real' null (without quotation marks) with this method?我如何在sqlInsertValuesString中使用此方法提供有效的 url 字符串或“真实” null (不带引号)?
5 个解决方案
解决方案1
1 2022-05-16 04:19:15
Unless you particularly want to use the backticks, you can do this除非你特别想使用反引号,否则你可以这样做
var event = {}; event.url = 'http://someurl.com'; var sqlInsertString = "INSERT INTO events (url, a, b, c, d) VALUES "; var sqlInsertValuesString = "('" + (event.url? event.url + "'": null) + ", null, 1, 2, 3)"; console.log(sqlInsertString + sqlInsertValuesString); var event = {}; var sqlInsertString = "INSERT INTO events (url, a, b, c, d) VALUES "; var sqlInsertValuesString = "(" + (event.url? "'" + event.url + "'": null) + ", null, 1, 2, 3)"; console.log(sqlInsertString + sqlInsertValuesString);
解决方案2
1 2022-05-16 04:21:34
It probably makes sense to split the assignment for clarity:为了清楚起见,拆分作业可能是有意义的:
let eventUrl = event.url ?? null;
const sqlInsertString = `INSERT INTO events (url) VALUES (${eventUrl}, null, 1, 2, 3)`
I have used the coalescing operator for the eventUrl我为eventUrl使用了合并运算符
解决方案3
1 已采纳 2022-05-16 04:33:47
There is more than one reason to use parametrised queries, not just preventing injection attacks.使用参数化查询的原因不止一个,而不仅仅是防止注入攻击。 They make it as simple as他们让它变得如此简单
pg_client.query(
"INSERT INTO events (url, nothing, one, two, three) VALUES ($1, $2, $3, $4, $5)",
[event.url || null, null, 1, 2, 3]
)
.then(res => ...)
.catch(err => ...)
No quoting necessary, the driver handles all the mechanics behind the scenes.无需报价,司机会在幕后处理所有的机械工作。
So even if you are not making your program safer, it is still good to use parametrised queries at least for legibility, and also for practice: if you get into a habit of using parametrised queries always , you will not need to think whether an injection is possible, and you will never make a mistake of misjudging it and leaving a security hole in your program.所以即使你没有让你的程序更安全,至少为了易读性和实践,使用参数化查询仍然是好的:如果你养成了总是使用参数化查询的习惯,你就不需要考虑是否是注入是可能的,你永远不会误判它而在你的程序中留下安全漏洞。
解决方案4
0 2022-05-15 23:32:23
You can try你可以试试
`(${event.url ? `'${event.url}'` : `null`})`
So there are only single quotes around the url if it exists, and not for nulls.因此,如果 url 存在,则只有单引号,而不是空值。
解决方案5
0 2022-05-16 04:56:20
If someone finds this through Google I also found that escaping the backtick works as well:如果有人通过谷歌找到这个,我还发现 escaping 反引号也有效:
${event.url ? (`\'` + event.url + `\'`) : null},
but the chosen answer is better.但选择的答案更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.