1. 首页
  2. 问答
  3. 转义Node.JS MySQL问题

转义Node.JS MySQL问题

2016-08-14 87 views
0

我创建了一个守护进程,它会随机地在我的页面周围自动更改MYSQL表格内容。 (wordpress表格)转义Node.JS MySQL问题

我有一个系统将读取的故事数组,然后更新表中的mysql,以及更新服务器上的时间戳。

我的代码看起来像这样

//required libraries 
fs = require('fs') 
var mysql = require('mysql'); 
var dateFormat = require('dateformat'); 
var now = new Date(); 

//mysql table 
var connection = mysql.createConnection({ 
    host  : 'yomamabinshoppin', 
    user  : 'nonya', 
    password : 'defineltynonya', 
    database : 'okbye' 
}); 


connection.connect(); 


//sitelisting 
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts']; 

//select story from catalogue 
function ss (id,callback){ 
    fs.readFile('./' + id +'.txt', 'utf8', function (err,data) { 
    callback(data); 
});} 

sites.forEach(function(entry) { 
    ss(Math.floor(Math.random() * 12), function (returnvalue){ 
    fs.writeFile(entry, returnvalue); 
    connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) { 

if (err) throw err; 


}); 
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) { 

}); 
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1", function(err, rows, fields) { 

if (err) throw err; 
}); 

}); 


});

在这里讨论的问题是在

fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) { 

});

所在行返回值是我的故事,而其中一项是当前表名。

Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual th 
at corresponds to your MySQL server version for the right syntax to use near 're 
frightened can become a safety issue. When designing something to scare visit' 
at line 1

它所指的故事有这个文本。

SCARE PEOPLE THE RIGHT WAY. 
"We always try to scare forward to try to keep the flow going," Travis says. "A lot of times we try to scare further down the path rather than being scared into the wall," which slows the circulation of traffic through the maze. 
Plus, where people instinctively move when they're frightened can become a safety issue. When designing something to scare visitors, you have to think about how people will react—and what they might jump into if they leaped backward in terror. "You never really know how bad something is going to scare somebody," Travis explains. "We try to keep the opposite wall clear from any kind of metal props or anything like that."

起初我以为问题涉及到在我的故事的一些HTML,所以我删除了所有的故事的HTML,同样的问题发生了什么。

任何意见,我怎么能解决这个问题? 谢谢。

更新1 逃逸的查询,修改后的代码,仍然在SQL端相同的解析问题的变量之后

//required libraries 
fs = require('fs') 
var mysql = require('mysql'); 
var dateFormat = require('dateformat'); 
var now = new Date(); 

//mysql table 
var connection = mysql.createConnection({ 
    ... 
}); 


connection.connect(); 


//sitelisting 
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts']; 

//select story from catalogue 
function ss (id,callback){ 
    fs.readFile('./' + id +'.txt', 'utf8', function (err,data) { 
    callback(data); 
});} 

sites.forEach(function(entry) { 
    ss(Math.floor(Math.random() * 12), function (returnvalue){ 
    fs.writeFile(entry, returnvalue); 
    connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) { 

if (err) throw err; 


}); 
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+ entry + "` SET `post_content` = '"+ mysql.escape(returnvalue) +"' WHERE `"+ entry +"`.`ID` = 1" , function (err) { 

}); 
connection.query("UPDATE `warehous_wordpress`.`"+ entry +"` SET `post_content` = '" + mysql.escape(returnvalue) + "' WHERE `"+ entry +"`.`ID` = 1", function(err, rows, fields) { 

if (err) throw err; 
}); 

}); 


});

来源

2016-08-14 Christopher Allen

+0

第1步:使用[Sequelize](http://sequelizejs.com)。第2步:了解[正确转义](http://bobby-tables.com)。第3步:在Sequelize中使用占位符语句。 – tadman

+0

这里需要注意的另一件事是减少复制/粘贴并使用变量来保存查询字符串等打印或使用多次的东西。拥有两个相同的代码意味着要做两次工作来进行更改。 – tadman

+0

检查'mysql'模块的[转义查询值](https://github.com/mysqljs/mysql#escaping-query-values)部分。 **从不**写类似''“+ returnvalue +”''的东西。如果变量包含一个''',那么你的整个查询失败了,就像你用'they're'的例子。不仅会失败,而且还容易受到mysql注入的影响。 –

回答

1

您需要总是正确地逃避你的变量。

如果您returnvaluethey're然后将查询的这个部分:

SET `post_content` = '" + returnvalue + "' WHERE

将变为:

SET `post_content` = 'they're' WHERE

正如你所看到的,这将导致到语法错误在're

在最坏的情况下,这可以用来将一些数据注入到数据库中。如果returnvalue例如会they', ID='1,那么你的查询将是:

SET `post_content` = 'they', ID='1' WHERE

所以你总是必须escape你的价值观,或者使用?mysql.escape

使用???

connection.query(
    "UPDATE `warehous_wordpress`.?? SET `post_content` = ? WHERE ??.`ID` = 1", 
    [entry, returnvalue, entry] , 
    function(err, rows, fields) {});

使用mysql.escapeIdmysql.escape

connection.query(
    "UPDATE `warehous_wordpress`." + mysql.escapeId(entry) + 
    " SET `post_content` = " + mysql.escape(returnvalue) + 
    " WHERE " + mysql.escapeId(entry) + ".`ID` = 1", 
    function(err, rows, fields) {});

我建议你使用???

来源

2016-08-14 12:31:44

0

尝试像下面

fs = require('fs'); 
var mysql = require('mysql'); 
var dateFormat = require('dateformat'); 
var async = require('async'); 

var connection = mysql.createConnection({ 
    ... 
}); 
connection.connect(); 

var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', ...]; 

function copyFile(source, target, callback) { 
    var rs = fs.createReadStream(source); 
    rs.on('error', callback); 

    var ws = fs.createWriteStream(target); 
    ws.on('error', callback); 
    ws.on('close', callback); 
    rs.pipe(wr); 
} 

function updateSite(site, callback) { 
    copyFile('./' + Math.floor(Math.random() * 12) +'.txt', site, function(err) { 
     if (err) 
      return callback(err); 

     connection.query(
      'UPDATE warehous_wordpress.? SET post_date = ? WHERE ?.ID=1', 
      [site, dateFormat(now, 'yyyy-m-d') + ' 01:00:01', site], 
      callback 
     ); 
    }); 
} 

async.eachSeries(sites, updateSite, function (err) { if (err) throw err; });

来源

2016-08-14 11:36:03

+0

标识符必须用''''而不是''''来转义。 –

相关问题

 相关问题