Node.js 使用nodejs 7.3.0时不能使用反勾号
我试图运行一个简单的网站,遇到了以下回退错误Node.js 使用nodejs 7.3.0时不能使用反勾号,node.js,Node.js,我试图运行一个简单的网站,遇到了以下回退错误 `INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`, ^^^^^^ SyntaxError: Unexpected identifier at Object.exports.runInThisContext (vm.js:78:16) at Mod
`INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
^^^^^^
SyntaxError: Unexpected identifier
at Object.exports.runInThisContext (vm.js:78:16)
at Module._compile (module.js:543:28)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:420:7)
at startup (bootstrap_node.js:139:9)
at bootstrap_node.js:535:3
这是代码
app.put('/problems', function(req, res) {
pool.getConnection(function(err, connection) {
var p_list = new Array(4);
var qid = mysql.escape(req.body.qid);
var uid = mysql.escape(req.body.uid);
var question = mysql.escape(req.body.question);
var difficulty = mysql.escape(req.body.difficulty);
var cid = mysql.escape(req.body.cid);
var choices = req.body.choices;
var answer = mysql.escape(req.body.answer);
var explanation = mysql.escape(req.body.explanation);
var qid_choice = ``;
choices.forEach( choice => {
choice = mysql.escape(choice);
qid_choice += "("+qid+", "+choice+"),";
} );
qid_choice = qid_choice.slice(0,-1);
var queries = [
`INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
`INSERT INTO questionInfo(qid) VALUES(${qid})`,
`INSERT INTO choices(qid, choice) VALUES ${qid_choice}`,
`INSERT INTO solutions(qid, answer, explanation) VALUES(${qid},${answer},${explanation})`
];
for (let i=0; i<4; i++) {
p_list[i] = new Promise(function(resolve, reject) {
connection.query(
queries[i],
err => {
if (err) reject(err);
else resolve();
}
);
});
}
Promise.all(p_list).then(function() {
connection.release();
console.log(`[200] ${req.method} to ${req.url}`);
res.end();
}, function(err) {
connection.release();
console.log(`[500] ${req.method} to ${req.url} because ${err}`);
})
});
});
app.put('/problems',函数(req,res){
pool.getConnection(函数(err,connection){
var p_list=新数组(4);
var qid=mysql.escape(req.body.qid);
var uid=mysql.escape(req.body.uid);
var question=mysql.escape(req.body.question);
var-demobility=mysql.escape(请求主体难度);
var cid=mysql.escape(req.body.cid);
var choices=req.body.choices;
var answer=mysql.escape(req.body.answer);
var explainion=mysql.escape(req.body.explainion);
var qid_choice=`;
choices.forEach(choice=>{
choice=mysql.escape(choice);
qid_choice+=“(“+qid+”,“+choice+”)”;
} );
qid_choice=qid_choice.slice(0,-1);
变量查询=[
`在问题(qid、uid、问题、难度、cid)中插入值(${qid}、${uid}、${question}、${Demobility}、${cid})`,
`在questionInfo(qid)值(${qid})中插入`,
`插入选项(qid,choice)值${qid_choice}`,
`在解决方案(qid、答案、解释)中插入值(${qid}、${answer}、${Expression})`
];
for(设i=0;i{
如果(错误)拒绝(错误);
else解析();
}
);
});
}
Promise.all(p_list).then(function(){
连接。释放();
log(`[200]${req.method}到${req.url}`);
res.end();
},函数(err){
连接。释放();
log(`[500]${req.method}到${req.url},因为${err}`);
})
});
});
我正在使用节点版本7.3.0
我不知道为什么会发生这个错误。。。这太令人沮丧了
感谢阅读:)SQL注入警报
您的整个代码是一个有待利用的巨大漏洞。现在很少有可利用的SQL注入漏洞,但这里的每个参数中都有
永远不要这样做
或:
总是这样做
你的问题
看看您的问题,似乎要么您有不平衡的回跳,要么您在节点中发现了一个bug。很难说更多,因为您没有发布一个复制您的问题的最小示例,而是发布了路由处理程序的一个不完整部分,如果没有您删除的部分,该部分甚至无法运行
但是您应该感谢您遇到了反勾号的问题,因为如果没有它,您甚至不会知道您的代码有多不安全。我甚至不记得上次看到一个带有SQL注入漏洞的代码是什么时候了。自从我上次提到某人看这部连环漫画已经好几年了:
请阅读:
切记不要使用反勾号将未初始化的数据插入任何字符串,尤其是SQL。请不要使用模板字符串根据用户输入创建数据库查询字符串。这只会让你自己面临SQL注入攻击。@msdex谢谢!我会更加小心:)我以为mysql.escape方法会为我防止这些事情发生。。。非常感谢你!哇,这是不平衡的回跳哈哈。但我不会在SQL查询中使用它
connection.query(
`INSERT INTO questionInfo(qid) VALUES(${qid})`,
err => {
// ...
}
);
connection.query(
'INSERT INTO questionInfo(qid) VALUES(' + qid + ')',
err => {
// ...
}
);
connection.query(
'INSERT INTO questionInfo(qid) VALUES(?)',
qid,
err => {
// ...
}
);