现在大家来学习下sql是如何注入的,传统的拼接字符串会造成
注入形式就是在变量那使用《1=1》这样查询无论怎样都是正确的
-- var sql = "select name from person where name=‘"+\n 1=1+"‘";
//不建议的写法
var sql = "select name from person where name=‘"+username+"‘"; connection.query(sql,function(err,rows,fields){ }
//建议的写法
var columns = ‘name‘; var username = ‘yudi‘; var sql = "select ?? from person where name=?"; connection.query(sql,[columns,username],function(err,rows,fields){ }
时间: 2024-11-01 11:29:49