您将需要将变量的 放入sql语句中。
这不好:
"SELECT * FROM arrivals WHERE flight = 'flightNo'"
这将起作用,但是从sql注入攻击中并不安全:
"SELECT * FROM arrivals WHERE flight = '" + flightNo + "'"
为了防止sql注入,您可以像这样转义您的价值:
"SELECT * FROM arrivals WHERE flight = '" + connection.escape(flightNo) + "'"
但是最好的方法是使用参数替换:
app.get("/arrivals/:flightNo", cors(), function(req, res) {
var flightNo = req.params.flightNo;
var sql = "SELECT * FROM arrivals WHERE flight = ?";
connection.query(sql, flightNo, function(err, rows, fields) {
});
});
如果要进行多个替换,请使用数组:
app.get("/arrivals/:flightNo", cors(), function(req, res) {
var flightNo = req.params.flightNo;
var minSize = req.query.minSize;
var sql = "SELECT * FROM arrivals WHERE flight = ? AND size >= ?";
connection.query(sql, [ flightNo, minSize ], function(err, rows, fields) {
});
});