我创建了一个守护进程,它会随机地在我的页面周围自动更改MYSQL表格内容。 (wordpress表格)转义Node.JS MySQL问题
我有一个系统将读取的故事数组,然后更新表中的mysql,以及更新服务器上的时间戳。
我的代码看起来像这样
//required libraries
fs = require('fs')
var mysql = require('mysql');
var dateFormat = require('dateformat');
var now = new Date();
//mysql table
var connection = mysql.createConnection({
host : 'yomamabinshoppin',
user : 'nonya',
password : 'defineltynonya',
database : 'okbye'
});
connection.connect();
//sitelisting
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts'];
//select story from catalogue
function ss (id,callback){
fs.readFile('./' + id +'.txt', 'utf8', function (err,data) {
callback(data);
});}
sites.forEach(function(entry) {
ss(Math.floor(Math.random() * 12), function (returnvalue){
fs.writeFile(entry, returnvalue);
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) {
if (err) throw err;
});
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) {
});
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1", function(err, rows, fields) {
if (err) throw err;
});
});
});
在这里讨论的问题是在
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) {
});
所在行返回值是我的故事,而其中一项是当前表名。
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual th
at corresponds to your MySQL server version for the right syntax to use near 're
frightened can become a safety issue. When designing something to scare visit'
at line 1
它所指的故事有这个文本。
SCARE PEOPLE THE RIGHT WAY.
"We always try to scare forward to try to keep the flow going," Travis says. "A lot of times we try to scare further down the path rather than being scared into the wall," which slows the circulation of traffic through the maze.
Plus, where people instinctively move when they're frightened can become a safety issue. When designing something to scare visitors, you have to think about how people will react—and what they might jump into if they leaped backward in terror. "You never really know how bad something is going to scare somebody," Travis explains. "We try to keep the opposite wall clear from any kind of metal props or anything like that."
起初我以为问题涉及到在我的故事的一些HTML,所以我删除了所有的故事的HTML,同样的问题发生了什么。
任何意见,我怎么能解决这个问题? 谢谢。
更新1 逃逸的查询,修改后的代码,仍然在SQL端相同的解析问题的变量之后
//required libraries
fs = require('fs')
var mysql = require('mysql');
var dateFormat = require('dateformat');
var now = new Date();
//mysql table
var connection = mysql.createConnection({
...
});
connection.connect();
//sitelisting
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts'];
//select story from catalogue
function ss (id,callback){
fs.readFile('./' + id +'.txt', 'utf8', function (err,data) {
callback(data);
});}
sites.forEach(function(entry) {
ss(Math.floor(Math.random() * 12), function (returnvalue){
fs.writeFile(entry, returnvalue);
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) {
if (err) throw err;
});
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+ entry + "` SET `post_content` = '"+ mysql.escape(returnvalue) +"' WHERE `"+ entry +"`.`ID` = 1" , function (err) {
});
connection.query("UPDATE `warehous_wordpress`.`"+ entry +"` SET `post_content` = '" + mysql.escape(returnvalue) + "' WHERE `"+ entry +"`.`ID` = 1", function(err, rows, fields) {
if (err) throw err;
});
});
});
第1步:使用[Sequelize](http://sequelizejs.com)。第2步:了解[正确转义](http://bobby-tables.com)。第3步:在Sequelize中使用占位符语句。 – tadman
这里需要注意的另一件事是减少复制/粘贴并使用变量来保存查询字符串等打印或使用多次的东西。拥有两个相同的代码意味着要做两次工作来进行更改。 – tadman
检查'mysql'模块的[转义查询值](https://github.com/mysqljs/mysql#escaping-query-values)部分。 **从不**写类似''“+ returnvalue +”''的东西。如果变量包含一个''',那么你的整个查询失败了,就像你用'they're'的例子。不仅会失败,而且还容易受到mysql注入的影响。 –