1. 首頁
  2. 問答
  3. 轉義Node.JS MySQL問題

轉義Node.JS MySQL問題

2016-08-14 85 views
0

我創建了一個守護進程,它會隨機地在我的頁面周圍自動更改MYSQL表格內容。 (wordpress表格)轉義Node.JS MySQL問題

我有一個系統將讀取的故事數組,然後更新表中的mysql,以及更新服務器上的時間戳。

我的代碼看起來像這樣

//required libraries 
fs = require('fs') 
var mysql = require('mysql'); 
var dateFormat = require('dateformat'); 
var now = new Date(); 

//mysql table 
var connection = mysql.createConnection({ 
    host  : 'yomamabinshoppin', 
    user  : 'nonya', 
    password : 'defineltynonya', 
    database : 'okbye' 
}); 


connection.connect(); 


//sitelisting 
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts']; 

//select story from catalogue 
function ss (id,callback){ 
    fs.readFile('./' + id +'.txt', 'utf8', function (err,data) { 
    callback(data); 
});} 

sites.forEach(function(entry) { 
    ss(Math.floor(Math.random() * 12), function (returnvalue){ 
    fs.writeFile(entry, returnvalue); 
    connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) { 

if (err) throw err; 


}); 
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) { 

}); 
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1", function(err, rows, fields) { 

if (err) throw err; 
}); 

}); 


});

在這裏討論的問題是在

fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) { 

});

所在行返回值是我的故事,而其中一項是當前表名。

Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual th 
at corresponds to your MySQL server version for the right syntax to use near 're 
frightened can become a safety issue. When designing something to scare visit' 
at line 1

它所指的故事有這個文本。

SCARE PEOPLE THE RIGHT WAY. 
"We always try to scare forward to try to keep the flow going," Travis says. "A lot of times we try to scare further down the path rather than being scared into the wall," which slows the circulation of traffic through the maze. 
Plus, where people instinctively move when they're frightened can become a safety issue. When designing something to scare visitors, you have to think about how people will react—and what they might jump into if they leaped backward in terror. "You never really know how bad something is going to scare somebody," Travis explains. "We try to keep the opposite wall clear from any kind of metal props or anything like that."

起初我以爲問題涉及到在我的故事的一些HTML,所以我刪除了所有的故事的HTML,同樣的問題發生了什麼。

任何意見,我怎麼能解決這個問題? 謝謝。

更新1 逃逸的查詢,修改後的代碼,仍然在SQL端相同的解析問題的變量之後

//required libraries 
fs = require('fs') 
var mysql = require('mysql'); 
var dateFormat = require('dateformat'); 
var now = new Date(); 

//mysql table 
var connection = mysql.createConnection({ 
    ... 
}); 


connection.connect(); 


//sitelisting 
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts']; 

//select story from catalogue 
function ss (id,callback){ 
    fs.readFile('./' + id +'.txt', 'utf8', function (err,data) { 
    callback(data); 
});} 

sites.forEach(function(entry) { 
    ss(Math.floor(Math.random() * 12), function (returnvalue){ 
    fs.writeFile(entry, returnvalue); 
    connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) { 

if (err) throw err; 


}); 
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+ entry + "` SET `post_content` = '"+ mysql.escape(returnvalue) +"' WHERE `"+ entry +"`.`ID` = 1" , function (err) { 

}); 
connection.query("UPDATE `warehous_wordpress`.`"+ entry +"` SET `post_content` = '" + mysql.escape(returnvalue) + "' WHERE `"+ entry +"`.`ID` = 1", function(err, rows, fields) { 

if (err) throw err; 
}); 

}); 


});

來源

2016-08-14 Christopher Allen

+0

第1步:使用[Sequelize](http://sequelizejs.com)。第2步:瞭解[正確轉義](http://bobby-tables.com)。第3步:在Sequelize中使用佔位符語句。 – tadman

+0

這裏需要注意的另一件事是減少複製/粘貼並使用變量來保存查詢字符串等打印或使用多次的東西。擁有兩個相同的代碼意味着要做兩次工作來進行更改。 – tadman

+0

檢查'mysql'模塊的[轉義查詢值](https://github.com/mysqljs/mysql#escaping-query-values)部分。 **從不**寫類似''「+ returnvalue +」''的東西。如果變量包含一個''',那麼你的整個查詢失敗了,就像你用'they're'的例子。不僅會失敗,而且還容易受到mysql注入的影響。 –

回答

1

您需要總是正確地逃避你的變量。

如果您returnvaluethey're然後將查詢的這個部分:

SET `post_content` = '" + returnvalue + "' WHERE

將變爲:

SET `post_content` = 'they're' WHERE

正如你所看到的,這將導致到語法錯誤在're

在最壞的情況下,這可以用來將一些數據注入到數據庫中。如果returnvalue例如會they', ID='1,那麼你的查詢將是:

SET `post_content` = 'they', ID='1' WHERE

所以你總是必須escape你的價值觀,或者使用?mysql.escape

使用???

connection.query(
    "UPDATE `warehous_wordpress`.?? SET `post_content` = ? WHERE ??.`ID` = 1", 
    [entry, returnvalue, entry] , 
    function(err, rows, fields) {});

使用mysql.escapeIdmysql.escape

connection.query(
    "UPDATE `warehous_wordpress`." + mysql.escapeId(entry) + 
    " SET `post_content` = " + mysql.escape(returnvalue) + 
    " WHERE " + mysql.escapeId(entry) + ".`ID` = 1", 
    function(err, rows, fields) {});

我建議你使用???

來源

2016-08-14 12:31:44

0

嘗試像下面

fs = require('fs'); 
var mysql = require('mysql'); 
var dateFormat = require('dateformat'); 
var async = require('async'); 

var connection = mysql.createConnection({ 
    ... 
}); 
connection.connect(); 

var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', ...]; 

function copyFile(source, target, callback) { 
    var rs = fs.createReadStream(source); 
    rs.on('error', callback); 

    var ws = fs.createWriteStream(target); 
    ws.on('error', callback); 
    ws.on('close', callback); 
    rs.pipe(wr); 
} 

function updateSite(site, callback) { 
    copyFile('./' + Math.floor(Math.random() * 12) +'.txt', site, function(err) { 
     if (err) 
      return callback(err); 

     connection.query(
      'UPDATE warehous_wordpress.? SET post_date = ? WHERE ?.ID=1', 
      [site, dateFormat(now, 'yyyy-m-d') + ' 01:00:01', site], 
      callback 
     ); 
    }); 
} 

async.eachSeries(sites, updateSite, function (err) { if (err) throw err; });

來源

2016-08-14 11:36:03

+0

標識符必須用''''而不是''''來轉義。 –

相關問題

 相關問題