Javascript 如何使用动态数组进行mysql查询
我有两个数组,如下所示Javascript 如何使用动态数组进行mysql查询,javascript,mysql,arrays,node.js,Javascript,Mysql,Arrays,Node.js,我有两个数组,如下所示 var fieldarray = [ 'category', 'bookid', 'bookauthor', 'booktitle', 'price', 'publication', 'publication_date' ] var
var fieldarray = [ 'category',
'bookid',
'bookauthor',
'booktitle',
'price',
'publication',
'publication_date' ]
var dataarray = [ 'fantasy',
'',
'JKR',
'',
'',
'',
'' ]
select category,bookid,bookauthor,booktitle,price,publication,publication_date from tbl_books where category like '%fantasy%' OR bookauthor like '%JKR%'
var fieldarray = [ 'category',
'bookid',
'bookauthor',
'booktitle',
'price',
'publication',
'publication_date' ]
var dataarray = [ 'fantasy',
'',
'JKR',
'',
'',
'',
'' ]
select category,bookid,bookauthor,booktitle,price,publication,publication_date from tbl_books where category like '%fantasy%' OR bookauthor like '%JKR%'
var filters = [];
dataarray.forEach((val, index) => {
if(val)
filters.push(`${fieldarray[index]} like '%${val}%'`);
});
var result = `select ${fieldarray.join(",")} from tbl_books where ${filters.join(" OR ")} `;
只需迭代dataarray,检查字段是否为空,并将其连接到结果查询。始终确保舒尔不会受到SQL注入的影响 使用reduce准备一张地图,首先链接数据字段
var map = fieldarray.reduce( ( a, c, i ) => ( dataarray[i] && (a[c] = dataarray[i]), a ) , {}) ;
console.logquery;此答案易受SQL注入的影响。例如:。不过,这对标识符不起作用。@Ilja OP应该在之前明确地转义这两个数组。或者干脆不手动转义,而是使用占位符,除非是在列和表名的情况下。白名单是一种很好的方法。您应该明确使用一个允许查询的mysql模块……这也为SQL注入打开了。@IljaEveriläYes,共享了硬编码值的替代方法。@JonasW。斯巴雷?没有得到你的答案。这仍然是开放的sql注入vie参数:/@JonasW。现在它是一个参数化查询。您能详细说明一下这是如何对sql注入开放的吗?