3

我读自:https ://aws.amazon.com/blogs/database/using-the-data-api-to-interact-with-an-amazon-aurora-serverless-mysql-database/

RDSDataService 客户端还通过允许您在 SQL 语句中使用占位符参数来支持参数化查询。转义的输入值允许在运行时解析这些参数。参数化查询对于防止 SQL 注入攻击很有用。

但是当我将它与 Postgres 一起使用时,传递 string:myname's它会破坏我的 SQL 语法。我不确定 RDSDataService 如何处理文档中所写的 SQL 注入攻击。

谁能帮我解释一下?在这种情况下如何处理安全的 SQL 字符串?

更新:对不起我的不好。使用参数化查询时,RDSDataService 已经转义了字符串文字。

4

1 回答 1

0

以下是一些基本代码,用于从 Redshift 或 Aurora 获取返回值并将其转换为以批处理参数集的形式插入到数据库中:

获取您的响应,包括元数据并将其传递给此函数。它将解析为字符串或整数。如果您需要支持更多数据类型,则必须在下面的函数中创建更多 if 语句:

const data =
{
    "ColumnMetadata": [
        {
            "isCaseSensitive": true,
            "isCurrency": false,
            "isSigned": false,
            "label": "dealer_name",
            "length": 0,
            "name": "dealer_name",
            "nullable": 1,
            "precision": 255,
            "scale": 0,
            "schemaName": "raw_data",
            "tableName": "xxxxxxxxxxxxxxxxx",
            "typeName": "varchar"
        },
        {
            "isCaseSensitive": true,
            "isCurrency": false,
            "isSigned": false,
            "label": "city",
            "length": 0,
            "name": "city",
            "nullable": 1,
            "precision": 255,
            "scale": 0,
            "schemaName": "raw_data",
            "tableName": "xxxxxxxxxxxxxxxxx",
            "typeName": "varchar"
        },
        {
            "isCaseSensitive": false,
            "isCurrency": false,
            "isSigned": true,
            "label": "vehicle_count",
            "length": 0,
            "name": "vehicle_count",
            "nullable": 1,
            "precision": 19,
            "scale": 0,
            "schemaName": "",
            "tableName": "",
            "typeName": "int8"
        }
    ],
    "Records": [
        [
            {
                "stringValue": "Grand Prairie Ford Inc."
            },
            {
                "stringValue": "Grand Prairie"
            },
            {
                "longValue": 18
            }
        ],
        [
            {
                "stringValue": "Currie Motors Ford of Valpo"
            },
            {
                "stringValue": "Valparaiso"
            },
            {
                "longValue": 16
            }
        ]
    ],
    "TotalNumRows": 2
}

const buildParameterSets = (res) => {
  let columns = res.ColumnMetadata.map((c) => [c.name, c.typeName] );//get type and name of column
  let data = res.Records.map((r) => {
    let arr = r.map((v, i) => {
      if (columns[i][1].includes("int")) {
        return {
          name:   columns[i][0],
          value:  {
            longValue: Object.values(v)[0]
          }
        }
      } else {
        return {
          name:   columns[i][0],
          value:  {
            stringValue: Object.values(v)[0]
          }
        }
      }
    });
    return arr;
  });
  return data;
};

console.log(buildParameterSets(data));

然后,您可以使用 AWS 开发工具包中的 BatchExecuteStatementCommand 插入:

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-rds-data/classes/batchexecutestatementcommand.html

const rds_client = new RDSDataClient({ region: "us-east-2" });
let insert_sql = `INSERT INTO dealer_inventory (
  dealer_name,
  city,
  vehicle_count
  ) VALUES (
    :dealer_name,
    :city,
    :vehicle_count
  )`;

try {
// insert data
  const insert_params = {
    database: "dev",
    parameterSets: parameterSets,
    sql: insert_sql,
    secretArn: process.env.SECRET_ARN,
    resourceArn: process.env.RESOURCE_ARN,
  };

  const insert_command = new RDSBatchExecuteStatementCommand(insert_params);
  var insert_response = await rds_client.send(insert_command);

} catch (error) {

  console.log("RDS INSERT ERROR");
  console.log(error.message);

} finally {

  console.log("Inserted: ");
  console.log(insert_response);

}
于 2021-11-05T18:23:06.403 回答