問題描述

是否有可能像 PHP 具有防止 SQL 注入的預(yù)處理語句那樣防止 Node.js 中的 SQL 注入(最好使用模塊).

Is it possible to prevent SQL injections in Node.js (preferably with a module) in the same way that PHP had Prepared Statements that protected against them.

如果是這樣，怎么辦?如果沒有，有哪些示例可以繞過我提供的代碼(見下文).

If so, how? If not, what are some examples that might bypass the code I've provided (see below).

一些背景:

我正在使用 制作一個(gè)包含 Node.js + MySql 的后端堆棧的 Web 應(yīng)用程序node-mysql 模塊.從可用性的角度來看，該模塊很棒，但它還沒有實(shí)現(xiàn)類似于 PHP 的 準(zhǔn)備好的聲明(雖然我知道它在todo).

I'm making a web application with a back-end stack consisting of Node.js + MySql using the node-mysql module. From a usability perspective, the module is great, but it has not yet implemented something akin to PHP's Prepared Statements (though I'm aware it is on the todo).

據(jù)我了解，PHP 對(duì)準(zhǔn)備好的語句的實(shí)現(xiàn)，除其他外，在防止 SQL 注入方面有很大幫助.不過，我擔(dān)心我的 node.js 應(yīng)用程序可能會(huì)受到類似的攻擊，即使使用默認(rèn)提供的字符串轉(zhuǎn)義(如下面的代碼片段所示).

From my understanding, PHP's implementation of prepared statements, among other things, helped greatly in the prevention of SQL injections. I'm worried, though, that my node.js app may be open to similar attacks, even with the string escaping provided by default (as in the code snippet below).

node-mysql 似乎是最流行的 node.js mysql 連接器，所以我想知道其他人可能會(huì)做什么(如果有的話)來解決這個(gè)問題——或者它是否甚至是 node.js 的問題首先(不知道怎么會(huì)不會(huì)，因?yàn)樯婕暗接脩?客戶端輸入).

node-mysql seems to be the most popular mysql connector for node.js, so I was wondering what other people might be doing (if anything) to account for this issue - or if it is even an issue with node.js to begin with (not sure how this wouldn't be, since user/client-side input is involved).

我是否應(yīng)該暫時(shí)切換到node-mysql-native，因?yàn)樗_實(shí)提供了準(zhǔn)備好的語句?我很猶豫要不要這樣做，因?yàn)樗坪醪幌?node-mysql 那樣活躍(盡管這可能只是意味著它是完整的).

Should I switch to node-mysql-native for the time being, since it does provide prepared statements? I'm hesitant to do this, because it does not seem to be as active as node-mysql (though that may just mean that it is complete).

這是一段用戶注冊(cè)代碼，它使用了 sanitizer 模塊，以及使用 node-mysql 準(zhǔn)備好的類似語句的語法(正如我上面提到的，進(jìn)行字符轉(zhuǎn)義)，分別防止跨站點(diǎn)腳本和 sql 注入:

Here is a snippet of user registration code, which uses the sanitizer module, along with node-mysql's prepared statement-like syntax (which, as I mentioned above, does character escaping), to prevent cross site scripting and sql injections, respectively:

// Prevent xss
var clean_user = sanitizer.sanitize(username);

// assume password is hashed already
var post = {Username: clean_user, Password: hash};

// This just uses connection.escape() underneath
var query = connection.query('INSERT INTO users SET ?', post,
   function(err, results)
   {
       // Can a Sql injection happen here?
   });

推薦答案

node-mysql 庫在使用時(shí)會(huì)自動(dòng)執(zhí)行轉(zhuǎn)義，就像您已經(jīng)在做的那樣.見 https://github.com/felixge/node-mysql#escaping-query-值

The node-mysql library automatically performs escaping when used as you are already doing. See https://github.com/felixge/node-mysql#escaping-query-values

這篇關(guān)于防止 Node.js 中的 SQL 注入的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！