0

I have query for adding columns to a database in my Node server:

const query = 'ALTER TABLE ' + mysql.escape(tableData[i]) + ' ADD ' + mysql.escape(attributeData[0]) + ' FLOAT DEFAULT NULL;'

If I use they query without mysql.escape() it adds the columns as it is supposed to. However when using the escape function for preventing sql injections it no longer works. Why is that?

Here is an example query with the escape function, it returns no error but also doesn't add the column to the table:

ALTER TABLE '1$0_Test_2018' ADD 'Eigenschaft_3' FLOAT DEFAULT NULL;

This query works just fine, however I want to make sure to escape user data:

ALTER TABLE 1$0_Test_2018 ADD Eigenschaft_3 FLOAT DEFAULT NULL;
4

1 回答 1

1

看起来您的问题可能是转义方法返回用引号而不是反引号包裹的值。

github 文档中,您似乎只需要更改escapeescapeId.

如果您不能信任 SQL 标识符(数据库/表/列名),因为它是由用户提供的,您应该使用 mysql.escapeId(identifier) 对其进行转义

于 2019-06-13T08:26:31.037 回答