我正在使用Node.js(特别是discord.js)制作Discord机器人。我有一个名为!add的命令,它有两个以上的参数。 !add Name This is the reply(Name将为args[0])。这是我用来检查他们输入的Name是否已由用户创建的代码:
var info = {
"commandname": args[0],
"commandreply": args.join(" ").slice(1),
"username": message.author.name,
"userid": message.author.id
}
connection.query("SELECT * FROM commands WHERE commandname = " + args[0], info, function(error) {
if (error) throw error;
// should only fireif that command name already exists as a command.
return message.channel.sendMessage("A command with command name " + args[0] + " already exists.");
});
// SHOULD fire - as no commands in my database yet. Especially not with that name.
console.log("Trying to insert command " + args[0] + " into Database.");
但是当我运行此命令时出现错误:
Error: ER_BAD_FIELD_ERROR: Unknown column 'Name' in 'where clause'
如果你想看一下,这是add命令的完整代码:https://hastebin.com/qulivabeko.js
这是我的数据库目前的外观:http://imgur.com/a/L7fYI
我非常 SQL新手。
答案 0 :(得分:-1)
首先,你的代码很容易被sql注入。首先转义用户所做的所有输入,然后修复查询错误。它应该是这样的:SELECT * FROM commands WHERE commandname = '" + args[0] + "'"