未加星标

Parsing string in nodejs

字体大小 | |
[前端(javascript) 所属分类 前端(javascript) | 发布者 店小二05 | 时间 2019 | 作者 红领巾 ] 0人收藏点击收藏

I am uploading images using nodejs

My query is like:

var user = req.body; var imgurl=projectDir +"/uploads/"+req.files.displayImage.name; var sql= "INSERT INTO users values('','"+user.name+"','"+user.email+"','"+user.user+"','"+user.pass+"','"+imgurl+"',now())";

Everything goes right, accept one that when it inserts imgurl it does not parse it,

My project directory is D:\node also I get it in projectDir =D:\node

But it will insert in database like:

D: ode/uploads/canvas.png

I understand that it converts \n to new line ,

So, my question is how to prevent this and what should I do for both single and double quotes insertion ?

Thanks.

Problem courtesy of: Rohan Kumar

Solution

Escape them using \ as such \\n or \" \' etc.

Here's a related question that answers your query . The method:

function mysql_real_escape_string (str) { return str.replace(/[\0\x08\x09\x1a\n\r"'\\\%]/g, function (char) { switch (char) { case "\0": return "\\0"; case "\x08": return "\\b"; case "\x09": return "\\t"; case "\x1a": return "\\z"; case "\n": return "\\n"; case "\r": return "\\r"; case "\"": case "'": case "\\": case "%": return "\\"+char; // prepends a backslash to backslash, percent, // and double/single quotes } }); }

You can store the mysql_real_escape_string() function as a separate module and require it before usage or directly insert it into the .js file that will be using it. You could use it as shown below:

var sql= "INSERT INTO users values('','"+user.name+"','"+user.email+"','"+user.user+"','"+user.pass+"','"+mysql_real_escape_string(imgurl)+"',now())";

Solution courtesy of: zeusdeux

Discussion

Uggh, escape all the backslash and quotes in your query string. Always use connection.escape

var mysql = require('mysql'); var connection = mysql.createConnection(...); var userId = 'some user provided value'; var sql = 'SELECT * FROM users WHERE id = ' + connection.escape(userId); connection.query(sql, function(err, results) { // ... });

Discussion courtesy of: user568109

You should consider preparing your queries using the '?' syntax ( https://github.com/felixge/node-mysql#preparing-queries ).

var sql= "INSERT INTO users SET ?"; // Connection attained as listed above. connection.query( sql, { name:user.name, email:user.email, user:user.user, pass:user.pass, image:imgurl, timestamp:now()}, function(err, result){ // check result if err is undefined. });

Using this pattern, node-mysql will do all the escaping and safety checks for you.

Hope this helps...

Discussion courtesy of: J. Rambo

This recipe can be found in it's original form on Stack Over Flow .

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

代码区博客精选文章
分页:12
转载请注明
本文标题:Parsing string in nodejs
本站链接:https://www.codesec.net/view/628360.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(78)