在 Nodejs 和 Express 中使用 Mysql (node-mysql)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5878266/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using Mysql with Nodejs and Express (node-mysql)
提问by georgesamper
Im new to node and express and I have a question regarding using mysql. I have a login form that posts to '/login'. Im using the node-mysql module.
我是 node 和 express 的新手,我有一个关于使用 mysql 的问题。我有一个登录表单,发布到“/登录”。我使用 node-mysql 模块。
app.get('/site', function(req, res){
if (req.session.is_logged_in === true) {
res.render('site/start', {
title: 'News'
});
} else {
res.redirect('/');
}
});
app.post('/login', function(req, res){
client.query('SELECT id, user_name FROM user WHERE email="' + req.body.login + '" AND password="' + Hash.sha1(req.body.password) + '"',
function (err, results, fields) {
if (err) {
throw err;
}
if (results[0]) {
req.session.userInfo = results[0];
req.session.is_logged_in = true;
res.render('site/start', {
title: 'News'
});
}
else {
res.redirect('/');
}
}
);
});
Is this a good way to do it? Can i continue this way? And are the sql querys escaped in some way, or do i have to write that functionality myself?
这是一个很好的方法吗?我可以继续这样吗?并且 sql 查询是否以某种方式转义,还是我必须自己编写该功能?
Last question: Im rewriting a site, and i used the mysql db. Are there any benefits to changing it to mongodb?
最后一个问题:我重写了一个站点,我使用了 mysql db。将其更改为 mongodb 有什么好处吗?
Any help would be appreciated
任何帮助,将不胜感激
Thanks in advance
提前致谢
George
乔治
采纳答案by yojimbo87
Is this a good way to do it? Can i continue this way? And are the sql querys escaped in some way, or do i have to write that functionality myself?
这是一个很好的方法吗?我可以继续这样吗?并且 sql 查询是否以某种方式转义,还是我必须自己编写该功能?
You should sanitize your SQL query parameters first. For example by utilizing functionality of node-validatormodule in order to prevent SQL injection attacks.
您应该首先清理您的 SQL 查询参数。例如,通过利用节点验证器模块的功能来防止SQL 注入攻击。
I'm rewriting a site, and i used the mysql db. Are there any benefits to changing it to mongodb?
我正在重写一个站点,并且我使用了 mysql 数据库。将其更改为 mongodb 有什么好处吗?
In general it depends on the functionality of your site and other stuff. Try to look at thisquestion.
一般来说,这取决于您网站的功能和其他东西。试着看看这个问题。
回答by Geoff Chappell
The node-mysql Client object has an escape method that can help with this. You can either call that manually, or use the form of query that accepts parameters. E.g:
node-mysql Client 对象有一个转义方法可以帮助解决这个问题。您可以手动调用它,也可以使用接受参数的查询形式。例如:
client.query('SELECT id, user_name FROM user WHERE email=?',
[req.body.login], ...
Note using the parameter method doesn't actually submit a parameterized query to mysql, it just takes care of the parameter substitution and escaping for you.
请注意,使用参数方法实际上并不向 mysql 提交参数化查询,它只是为您处理参数替换和转义。
BTW, here's what the escape does:
顺便说一句,这就是逃生的作用:
https://github.com/felixge/node-mysql/blob/master/lib/protocol/SqlString.js#L3
https://github.com/felixge/node-mysql/blob/master/lib/protocol/SqlString.js#L3
回答by sdepold
If your site becomes more complex you might be interested in using an ORM for your MySQL stuff. Sequelize uses the node-mysql lib and manages the complete sql stuff for: http://sequelizejs.com
如果您的站点变得更加复杂,您可能有兴趣为您的 MySQL 内容使用 ORM。Sequelize 使用 node-mysql 库并管理完整的 sql 内容:http://sequelizejs.com
