我創建了一個守護進程,它會隨機地在我的頁面周圍自動更改MYSQL表格內容。 (wordpress表格)轉義Node.JS MySQL問題
我有一個系統將讀取的故事數組,然後更新表中的mysql,以及更新服務器上的時間戳。
我的代碼看起來像這樣
//required libraries
fs = require('fs')
var mysql = require('mysql');
var dateFormat = require('dateformat');
var now = new Date();
//mysql table
var connection = mysql.createConnection({
host : 'yomamabinshoppin',
user : 'nonya',
password : 'defineltynonya',
database : 'okbye'
});
connection.connect();
//sitelisting
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts'];
//select story from catalogue
function ss (id,callback){
fs.readFile('./' + id +'.txt', 'utf8', function (err,data) {
callback(data);
});}
sites.forEach(function(entry) {
ss(Math.floor(Math.random() * 12), function (returnvalue){
fs.writeFile(entry, returnvalue);
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) {
if (err) throw err;
});
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) {
});
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1", function(err, rows, fields) {
if (err) throw err;
});
});
});
在這裏討論的問題是在
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) {
});
所在行返回值是我的故事,而其中一項是當前表名。
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual th
at corresponds to your MySQL server version for the right syntax to use near 're
frightened can become a safety issue. When designing something to scare visit'
at line 1
它所指的故事有這個文本。
SCARE PEOPLE THE RIGHT WAY.
"We always try to scare forward to try to keep the flow going," Travis says. "A lot of times we try to scare further down the path rather than being scared into the wall," which slows the circulation of traffic through the maze.
Plus, where people instinctively move when they're frightened can become a safety issue. When designing something to scare visitors, you have to think about how people will react—and what they might jump into if they leaped backward in terror. "You never really know how bad something is going to scare somebody," Travis explains. "We try to keep the opposite wall clear from any kind of metal props or anything like that."
起初我以爲問題涉及到在我的故事的一些HTML,所以我刪除了所有的故事的HTML,同樣的問題發生了什麼。
任何意見,我怎麼能解決這個問題? 謝謝。
更新1 逃逸的查詢,修改後的代碼,仍然在SQL端相同的解析問題的變量之後
//required libraries
fs = require('fs')
var mysql = require('mysql');
var dateFormat = require('dateformat');
var now = new Date();
//mysql table
var connection = mysql.createConnection({
...
});
connection.connect();
//sitelisting
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts'];
//select story from catalogue
function ss (id,callback){
fs.readFile('./' + id +'.txt', 'utf8', function (err,data) {
callback(data);
});}
sites.forEach(function(entry) {
ss(Math.floor(Math.random() * 12), function (returnvalue){
fs.writeFile(entry, returnvalue);
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) {
if (err) throw err;
});
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+ entry + "` SET `post_content` = '"+ mysql.escape(returnvalue) +"' WHERE `"+ entry +"`.`ID` = 1" , function (err) {
});
connection.query("UPDATE `warehous_wordpress`.`"+ entry +"` SET `post_content` = '" + mysql.escape(returnvalue) + "' WHERE `"+ entry +"`.`ID` = 1", function(err, rows, fields) {
if (err) throw err;
});
});
});
第1步:使用[Sequelize](http://sequelizejs.com)。第2步:瞭解[正確轉義](http://bobby-tables.com)。第3步:在Sequelize中使用佔位符語句。 – tadman
這裏需要注意的另一件事是減少複製/粘貼並使用變量來保存查詢字符串等打印或使用多次的東西。擁有兩個相同的代碼意味着要做兩次工作來進行更改。 – tadman
檢查'mysql'模塊的[轉義查詢值](https://github.com/mysqljs/mysql#escaping-query-values)部分。 **從不**寫類似''「+ returnvalue +」''的東西。如果變量包含一個''',那麼你的整個查詢失敗了,就像你用'they're'的例子。不僅會失敗,而且還容易受到mysql注入的影響。 –