单击编辑按钮后将现有数据传递到ejs从Node

时间:2019-03-17 18:34:54

标签: javascript node.js ejs 

connection.query('update customers set ? where id ='+ req.params.id, user, function(err, result) {
    if(err) {
      req.flash('error', err);

      //Since there is an error need to render back the edit page
      res.render('/customers/edit', {
         title: 'Edit Customer',
         id: req.params.id,
         name: 'select Name from customers where id='+req.params.id,
         email: 'select Email from customers where id='+req.params.id
      })
    } else {
         req.flash('success', 'Data updated successfully!');
         res.redirect('/customers');
    }
 })

edit.ejs:

<body>
<%= console.log(id) %>
<form action="/customers/update/<%= id %>" method="post" name="form1">
<div class="form-group">
  <label for="exampleInputPassword1">Name</label>
  <input type="text" class="form-control" name="name" id="name" value="<%= name %>" placeholder="Name">
</div>
<div class="form-group">
  <label for="exampleInputEmail1">Email address</label>
  <input type="email" class="form-control" name="email" id="email" aria-describedby="emailHelp" placeholder="Enter email" value="<%= email %>">
</div>

<button type="submit" class="btn btn-info">Update</button>
</form>
</body>

我很熟悉NodeJS,我试图在单击“编辑”按钮后从现有名称和电子邮件值中获取名称和电子邮件作为默认值。如果我用console.log(id)登录控制台中的ID,但是如果我登录它们,则名称和电子邮件是不确定的,我不确定如何在res.render中传递它们才能访问它在模板中,请提出建议。

1 个答案:

答案 0 :(得分:0)

首先,您的代码容易受到sql injection的攻击。我可以将诸如“ 1 UNION DROP TABLE用户”之类的查询传递到路径“ / customers / update /”,并基本上对数据库执行我想做的事情。

您需要像这样组装查询:

  df%>%ggplot(aes(x=species,y=weighted_change))+
  geom_hline(yintercept=0,linetype="dashed")+
  geom_boxplot(color="orangered")+
  labs(x="Species",y="Mean Change",title="Central Basin and Range")+
  theme(plot.title = element_text(hjust = 0.5,size = 12, face = "bold"))+
  theme(axis.title = element_text(size = 10, face = "bold"))+
  theme(axis.text=element_text(size=10,face="bold"))+
  theme(axis.text.x = element_text(angle = 45, hjust = 1))+
  coord_cartesian(ylim=c(-1.1,1.1))+
  stat_compare_means(label = "p.signif", method = "t.test", ref.group = ".all.", label.y=1.1)

然后执行如下查询:

var sql = 'UPDATE customers SET someColumn = ?, someOtherColumn = ? WHERE id = ?';

现在,在res.render上,您尝试传递var params = ['someValue', 'someOtherValue', 1]; connection.query(sql, params, function(err, result) { if (err) { //do something } }); ,该值将设置'select Name from customers where id='+req.params.id的值等于查询,而不是查询的结果

如果要将查询的结果传递给模板,则必须运行附加的name。看起来像这样:

connection.query
相关问题
最新问题