使用NodeJS7.3.0时不能使用回勾
提问于 2017-01-02 07:02:12
我试图运行一个简单的网站,并遇到了下面的反勾错误
`INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
^^^^^^
SyntaxError: Unexpected identifier
at Object.exports.runInThisContext (vm.js:78:16)
at Module._compile (module.js:543:28)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:420:7)
at startup (bootstrap_node.js:139:9)
at bootstrap_node.js:535:3这是密码
app.put('/problems', function(req, res) {
pool.getConnection(function(err, connection) {
var p_list = new Array(4);
var qid = mysql.escape(req.body.qid);
var uid = mysql.escape(req.body.uid);
var question = mysql.escape(req.body.question);
var difficulty = mysql.escape(req.body.difficulty);
var cid = mysql.escape(req.body.cid);
var choices = req.body.choices;
var answer = mysql.escape(req.body.answer);
var explanation = mysql.escape(req.body.explanation);
var qid_choice = ``;
choices.forEach( choice => {
choice = mysql.escape(choice);
qid_choice += "("+qid+", "+choice+"),";
} );
qid_choice = qid_choice.slice(0,-1);
var queries = [
`INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
`INSERT INTO questionInfo(qid) VALUES(${qid})`,
`INSERT INTO choices(qid, choice) VALUES ${qid_choice}`,
`INSERT INTO solutions(qid, answer, explanation) VALUES(${qid},${answer},${explanation})`
];
for (let i=0; i<4; i++) {
p_list[i] = new Promise(function(resolve, reject) {
connection.query(
queries[i],
err => {
if (err) reject(err);
else resolve();
}
);
});
}
Promise.all(p_list).then(function() {
connection.release();
console.log(`[200] ${req.method} to ${req.url}`);
res.end();
}, function(err) {
connection.release();
console.log(`[500] ${req.method} to ${req.url} because ${err}`);
})
});
});我使用的是节点版本7.3.0
我不知道为什么会发生这个错误..。太让人沮丧了
(谢谢各位阅读:)
回答 1
Stack Overflow用户
回答已采纳
发布于 2017-01-02 09:54:12
SQL注入警报
您的整个代码是一个等待攻击的大型SQL注入漏洞。现在很少有可利用的SQL注入漏洞,但是在这里,每个参数都有这种漏洞。
永远不要这么做
connection.query(
`INSERT INTO questionInfo(qid) VALUES(${qid})`,
err => {
// ...
}
);或者:
connection.query(
'INSERT INTO questionInfo(qid) VALUES(' + qid + ')',
err => {
// ...
}
);总是这么做
connection.query(
'INSERT INTO questionInfo(qid) VALUES(?)',
qid,
err => {
// ...
}
);你的问题
看看你的问题,似乎要么你的背不平衡,要么你在节点上发现了一个bug。很难说出更多的信息,因为您没有发布一个复制问题的最小示例,而是发布了路由处理程序中的一个不完整部分,如果没有删除的部分,它甚至无法运行。
但是,您应该感谢backticks的问题,因为没有它,您甚至永远不会知道您的代码有多不安全。我甚至不记得上次看到带有SQL注入漏洞的代码是什么时候。我已经好几年没让别人看过这部漫画了:
请阅读:
- 注入
- http://www.beyondsecurity.com/about-sql-injection.html
- http://projects.webappsec.org/w/page/13246963/SQL%20Injection
- http://bobby-tables.com/
记住,永远不要使用backticks将未清理的数据插入到任何字符串中,特别是SQL。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/41429068
复制相关文章
腾讯云开发者
