防止 Node.js 中的 SQL 注入

是否有可能像 PHP 具有防止 SQL 注入的预处理语句那样防止 Node.js 中的 SQL 注入(最好使用模块).

Is it possible to prevent SQL injections in Node.js (preferably with a module) in the same way that PHP had Prepared Statements that protected against them.

如果是这样,怎么办?如果没有,有哪些示例可以绕过我提供的代码(见下文).

If so, how? If not, what are some examples that might bypass the code I've provided (see below).

一些背景:

我正在使用 制作一个包含 Node.js + MySql 的后端堆栈的 Web 应用程序node-mysql 模块.从可用性的角度来看,该模块很棒,但它还没有实现类似于 PHP 的 准备好的声明(虽然我知道它在todo).

I'm making a web application with a back-end stack consisting of Node.js + MySql using the node-mysql module. From a usability perspective, the module is great, but it has not yet implemented something akin to PHP's Prepared Statements (though I'm aware it is on the todo).

据我了解,PHP 对准备好的语句的实现,除其他外,在防止 SQL 注入方面有很大帮助.不过,我担心我的 node.js 应用程序可能会受到类似的攻击,即使使用默认提供的字符串转义(如下面的代码片段所示).

From my understanding, PHP's implementation of prepared statements, among other things, helped greatly in the prevention of SQL injections. I'm worried, though, that my node.js app may be open to similar attacks, even with the string escaping provided by default (as in the code snippet below).

node-mysql 似乎是最流行的 node.js mysql 连接器,所以我想知道其他人可能会做什么(如果有的话)来解决这个问题——或者它是否甚至是 node.js 的问题首先(不知道怎么会不会,因为涉及到用户/客户端输入).

node-mysql seems to be the most popular mysql connector for node.js, so I was wondering what other people might be doing (if anything) to account for this issue - or if it is even an issue with node.js to begin with (not sure how this wouldn't be, since user/client-side input is involved).

我是否应该暂时切换到node-mysql-native,因为它确实提供了准备好的语句?我很犹豫要不要这样做,因为它似乎不像 node-mysql 那样活跃(尽管这可能只是意味着它是完整的).

Should I switch to node-mysql-native for the time being, since it does provide prepared statements? I'm hesitant to do this, because it does not seem to be as active as node-mysql (though that may just mean that it is complete).

这是一段用户注册代码,它使用了 sanitizer 模块,以及使用 node-mysql 准备好的类似语句的语法(正如我上面提到的,进行字符转义),分别防止跨站点脚本和 sql 注入:

Here is a snippet of user registration code, which uses the sanitizer module, along with node-mysql's prepared statement-like syntax (which, as I mentioned above, does character escaping), to prevent cross site scripting and sql injections, respectively:

// Prevent xss
var clean_user = sanitizer.sanitize(username);

// assume password is hashed already
var post = {Username: clean_user, Password: hash};

// This just uses connection.escape() underneath
var query = connection.query('INSERT INTO users SET ?', post,
   function(err, results)
   {
       // Can a Sql injection happen here?
   });

推荐答案

node-mysql 库在使用时会自动执行转义,就像您已经在做的那样.见 https://github.com/felixge/node-mysql#escaping-query-值

The node-mysql library automatically performs escaping when used as you are already doing. See https://github.com/felixge/node-mysql#escaping-query-values

相关文章