问题
I want to write an SQL query that contains a NodeJS variable. When I do this, it gives me an error of 'undefined'.
I want the SQL query below to recognize the flightNo variable. How can a NodeJS variable be input into an SQL query? Does it need special characters around it like $ or ?.
app.get("/arrivals/:flightNo?", cors(), function(req,res){
var flightNo = req.params.flightNo;
connection.query("SELECT * FROM arrivals WHERE flight = 'flightNo'", function(err, rows, fields) {
回答1:
You will need to put the value of the variable into the SQL statement.
This is no good:
"SELECT * FROM arrivals WHERE flight = 'flightNo'"
This will work, but it is not safe from SQL injection attacks:
"SELECT * FROM arrivals WHERE flight = '" + flightNo + "'"
To be safe from SQL injection, you can escape your value like this:
"SELECT * FROM arrivals WHERE flight = '" + connection.escape(flightNo) + "'"
But the best way is with parameter substitution:
app.get("/arrivals/:flightNo", cors(), function(req, res) {
var flightNo = req.params.flightNo;
var sql = "SELECT * FROM arrivals WHERE flight = ?";
connection.query(sql, flightNo, function(err, rows, fields) {
});
});
If you have multiple substitutions to make, use an array:
app.get("/arrivals/:flightNo", cors(), function(req, res) {
var flightNo = req.params.flightNo;
var minSize = req.query.minSize;
var sql = "SELECT * FROM arrivals WHERE flight = ? AND size >= ?";
connection.query(sql, [ flightNo, minSize ], function(err, rows, fields) {
});
});
回答2:
If you are using > ES6 :
connection.query(`SELECT * FROM arrivals WHERE flight = ${flightNo}`, function(err, rows, fields) {
If you are < ES6 :
connection.query("SELECT * FROM arrivals WHERE flight = " + flightNo, function(err, rows, fields) {
Please note that this is VERY BAD practice as you will be vulnerable to SQL-injection attacks.
来源:https://stackoverflow.com/questions/41168942/how-to-input-a-nodejs-variable-into-an-sql-query