如何防止 sql-injection in nodejs 和 sequelize?
How to prevent sql-injection in nodejs and sequelize?
我想使用 Sequelize 编写自定义查询,并尽可能避免 SQL 注入的潜在问题。因此,我的问题是,是否存在使用 Sequelize 编写带有插入变量的自定义查询的安全方法?
Sequelize 转义替换,这避免了 SQL 注入攻击的核心问题:未转义的字符串。它还支持在使用 SQLite 或 PostgreSQL 时绑定参数,通过将参数单独发送到数据库以进一步降低风险,以进行查询,as documented here:
Bind parameters are like replacements. Except replacements are escaped
and inserted into the query by sequelize before the query is sent to
the database, while bind parameters are sent to the database outside
the SQL query text. A query can have either bind parameters or
replacements.
Only SQLite and PostgreSQL support bind parameters. Other dialects
will insert them into the SQL query in the same way it is done for
replacements. Bind parameters are referred to by either , , ...
(numeric) or $key (alpha-numeric). This is independent of the dialect.
我想使用 Sequelize 编写自定义查询,并尽可能避免 SQL 注入的潜在问题。因此,我的问题是,是否存在使用 Sequelize 编写带有插入变量的自定义查询的安全方法?
Sequelize 转义替换,这避免了 SQL 注入攻击的核心问题:未转义的字符串。它还支持在使用 SQLite 或 PostgreSQL 时绑定参数,通过将参数单独发送到数据库以进一步降低风险,以进行查询,as documented here:
Bind parameters are like replacements. Except replacements are escaped and inserted into the query by sequelize before the query is sent to the database, while bind parameters are sent to the database outside the SQL query text. A query can have either bind parameters or replacements.
Only SQLite and PostgreSQL support bind parameters. Other dialects will insert them into the SQL query in the same way it is done for replacements. Bind parameters are referred to by either , , ... (numeric) or $key (alpha-numeric). This is independent of the dialect.