我是NodeJS的新手,在那里我尝试使用参数插入到表中,这样我就可以避免SQL注入并只转义任何可能引起问题的字符。
因此,我目前有一个无需参数即可插入数据的应用程序。
这是我到目前为止的内容:
var fs = require('fs'); var sql = require('mssql'); var LINQ = require("node-linq").LINQ; const simpleParser = require('mailparser').simpleParser; var Client = require('yapople').Client; var client = new Client({ hostname: 'xxxxxx', port: 995, tls: true, mailparser: true, username: 'xxxxx', password: 'xxxxx' }); const config = { user: 'xxxxxxx', password: 'xxxxx', server: 'xxxxx\\', port: 'xxxxx' database: 'xxxxxx', options: { instanceName: 'xxxxx' } }; (async function () { try { let pool = await sql.connect(config) //Get all current emails let emails = await pool.request() .query('select uid from email') //Get uids only var uids = new LINQ(emails.recordset) .Select(function(email) {return email.uid;}) .ToArray(); //Get all emails client.connect(function() { client.retrieveAll(function(err, messages) { messages.forEach(function(message) { //Check if the message exists in our database already. var messageId = message.messageId; var emailExists = new LINQ(uids) .Where(x=>x == messageId).ToArray(); //If the message do not exists then add them to the database if(emailExists.length == 0){ var sentDate = new Date(message.date).toISOString(); var subject = message.subject; var body = message.text; var mailAddress = ""; var mailAddressName = ""; if(message.from.length > 0){ mailAddress = message.from[0].address; mailAddressName = message.from[0].name; } const request = pool.request(); request.input('uid', sql.VarChar, messageId); request.input('mail_address', sql.VarChar, mailAddress); request.input('mail_address_display_name', sql.VarChar, mailAddressName); request.input('subject', sql.VarChar, subject); request.input('body', sql.VarChar, body); request.input('sent_date', sql.DateTime, sentDate); request.input('created_by', sql.VarChar, 'system'); let result = await request.query('INSERT INTO email(uid, mail_address, mail_address_display_name, subject, body, sent_date, created_by) OUTPUT INSERTED.ID values (@uid, @mail_address, @mail_address_display_name, @subject, @body, @sent_date, @created_by)', (err, result) => { console.dir(result) }) } }); client.quit(); }) }); } catch (err) { console.log(err); // ... error checks } })()
我正在查看准备好的语句,但无法正常工作。
这是我尝试使用准备好的语句的结果
const ps = new sql.PreparedStatement(); ps.input('uid', TYPES.VarChar); ps.input('mail_address', TYPES.VarChar); ps.input('mail_address_display_name', TYPES.VarChar); ps.input('subject', TYPES.VarChar); ps.input('body', TYPES.VarChar); ps.input('sent_date', TYPES.DateTime); ps.input('created_by', TYPES.VarChar); ps.prepare('INSERT INTO email(uid, mail_address, mail_address_display_name, subject, body, sent_date, created_by) ' + ' OUTPUT INSERTED.email_id VALUES (@uid, @mail_address, @mail_address_display_name, @subject, @body, @sent_date, @created_by)', err => { ps.execute({uid: messageId, mail_address: mailAddress, mail_address_display_name:mailAddressName, subject: subject, body: body, sent_date: sentDate, created_by: 'system' }, (err, result) => { // ... error checks ps.unprepare(err => { var x =1; }) }) })
您可以使用连接池请求对象添加参数,例如
const request = pool.request() request.input('myval', sql.VarChar, 'value') request.query('insert into testtable (somecolumn) values (@myval)', (err, result) => { console.dir(result) })