我正在努力保护自己的游戏免受SQL注入的侵扰,而我已经读过使用准备好的语句是做到这一点的一种方法,就像这样:
var userId = 5;
var query = connection.query('SELECT * FROM users WHERE id = ?', [userId], function(err, results) {
//query.sql returns SELECT * FROM users WHERE id = '5'
});
但是当我的SQL看起来像这样时,我该怎么办?
let sql = `INSERT INTO ${table} (prefix_id, suffix_id, identifier_index, username, hashbrown, salt, date_created, date_updated)
SELECT ${args.prefix_id}, ${args.suffix_id}, COALESCE(MAX(identifier_index) + 1, 1), CONCAT(${args.username}, COALESCE(MAX(identifier_index) + 1, 1)),
${args.hash}, ${args.salt}, NOW(), NOW() from ${table} where prefix_id = ${args.prefix_id} AND suffix_id = ${args.suffix_id}`;
现在,因为最终它将继续使用AWS Lambda和API网关,我宁愿不使用某些第三方节点库或可能会中断的东西。
有什么想法吗?
答案 0 :(得分:1)
您尝试过吗:
const query = connection.query(
`INSERT INTO ${table} (prefix_id, suffix_id, identifier_index, username, hashbrown, salt, date_created, date_updated)
SELECT ?, ?, COALESCE(MAX(identifier_index) + 1, 1), CONCAT(?, COALESCE(MAX(identifier_index) + 1, 1)),
?, ?, NOW(), NOW() from ${table} where prefix_id = ? AND suffix_id = ?`,
[
args.prefix_id,
args.suffix_id,
args.username,
args.hash,
args.salt,
args.prefix_id,
args.suffix_id
],
function(err,results) {
//
}
);
?