如何转义string但不影响LIKE导致nodejs mysql js
最近我在nodejs web应用程序中使用mysqljs。
我想逃避SQL中的所有参数来防止注入攻击。
但是在LIKE模式中,SQL将受到转义string符号`的影响
Here is my query SELECT event.name, host.name, Guest.name FROM Event as event LEFT JOIN Host on Host._id = event.host_id LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id LEFT JOIN Guest on Event_Guest.guest_id = Guest._id WHERE host._id = event.host_id AND event.status IN ('on', 'off') AND ( event.name LIKE "%?%" escape "'" OR host.name LIKE "%?%" OR guest.name LIKE "%?%") LIMIT ?, ?; `, [cond, cond, cond, skip, limit]) 如果我应用mysql.escape(cond) ,那么SQL就是LIKE "%'cond'%" 。
单引号会影响结果。
我怎样才能做转义参数,并保持原来的SQL?
你可以在string的开始和结尾添加% ,而不是在SQL中,你可能也想要转义原始string。 另外,如果你看一下https://github.com/mysqljs/mysql#escaping-query-values,你可能会注意到你不需要用双引号( " )来包装你的值。
假设我们试图实现这样的SQL查询:
SELECT event.name, host.name, Guest.name FROM Event as event LEFT JOIN Host on Host._id = event.host_id LEFT JOIN Event_Guest on Event_Guest.event_id = event._id LEFT JOIN Guest on Event_Guest.guest_id = Guest._id WHERE host._id = event.host_id AND event.status IN ('on', 'off') AND (event.name LIKE '%search%' escape "'" OR host.name LIKE '%search%', OR guest.name LIKE '%search') LIMIT 10, 0;
此更新代码示例可能适用于您:
new_cond = cond.slice(0, 1)+'%'+s.slice(1, cond.length-1)+'%'+cond.slice(cond.length-1); cond = mysql.escape(new_cond); # Should look like '%term%' status_in = ['on', 'off']; escape_char = "'"; connection.query('SELECT event.name, host.name, Guest.name FROM Event as event LEFT JOIN Host on Host._id = event.host_id LEFT JOIN Event_Guest on Event_Guest.event_id = Event._id LEFT JOIN Guest on Event_Guest.guest_id = Guest._id WHERE host._id = event.host_id AND event.status IN (?) AND ( event.name LIKE ? escape ? OR host.name LIKE ? OR guest.name LIKE ? ) LIMIT ?, ?;', [status_in, cond, escape_char, cond, cond, skip, limit])