JavaScript:长查询的预备语句

时间:2018-09-11 11:51:44

标签: javascript mysql

我正在努力保护自己的游戏免受SQL注入的侵扰,而我已经读过使用准备好的语句是做到这一点的一种方法,就像这样:

var userId = 5;
var query = connection.query('SELECT * FROM users WHERE id = ?', [userId], function(err, results) {
  //query.sql returns SELECT * FROM users WHERE id = '5'
});

但是当我的SQL看起来像这样时,我该怎么办?

let sql = `INSERT INTO ${table} (prefix_id, suffix_id, identifier_index, username, hashbrown, salt, date_created, date_updated) 
                SELECT ${args.prefix_id}, ${args.suffix_id}, COALESCE(MAX(identifier_index) + 1, 1), CONCAT(${args.username}, COALESCE(MAX(identifier_index) + 1, 1)),
                ${args.hash}, ${args.salt}, NOW(), NOW() from ${table} where prefix_id = ${args.prefix_id} AND suffix_id = ${args.suffix_id}`;

现在,因为最终它将继续使用AWS Lambda和API网关,我宁愿不使用某些第三方节点库或可能会中断的东西。

有什么想法吗?

1 个答案:

答案 0 :(得分:1)

您尝试过吗:

const query = connection.query(
    `INSERT INTO ${table} (prefix_id, suffix_id, identifier_index, username, hashbrown, salt, date_created, date_updated) 
            SELECT ?, ?, COALESCE(MAX(identifier_index) + 1, 1), CONCAT(?, COALESCE(MAX(identifier_index) + 1, 1)),
            ?, ?, NOW(), NOW() from ${table} where prefix_id = ? AND suffix_id = ?`,
    [
        args.prefix_id,
        args.suffix_id,
        args.username,
        args.hash,
        args.salt,
        args.prefix_id,
        args.suffix_id
    ],
    function(err,results) {
        //
    }
);

相关问题
最新问题