node.js sql 注入攻击防御方法 (sql Injection)

sql 注入的原理和方法应该都知道了，这里记录一下node-mysql提供的现成的api
https://github.com/felixge/node-mysql
node-mysql 提供了接口

In order to avoid SQL Injection attacks, you should always escape any userprovided data before using it inside a SQL query. You can do so using the

mysql.escape()

,

connection.escape()

or

pool.escape()

methods:

var userId = 'some user provided value';
var sql    = 'SELECT * FROM users WHERE id = ' + connection.escape(userId);
connection.query(sql, function(err, results) {
// ...
});