将 Mysql 与 Nodejs 和 Express 结合使用 (node-mysql)
我是 Node 和 Express 的新手,我有一个关于 使用mysql。 我有一个登录表单,可以发布到“/login”。我使用的是node-mysql 模块。
app.get('/site', function(req, res){
if (req.session.is_logged_in === true) {
res.render('site/start', {
title: 'News'
});
} else {
res.redirect('/');
}
});
app.post('/login', function(req, res){
client.query('SELECT id, user_name FROM user WHERE email="' + req.body.login + '" AND password="' + Hash.sha1(req.body.password) + '"',
function (err, results, fields) {
if (err) {
throw err;
}
if (results[0]) {
req.session.userInfo = results[0];
req.session.is_logged_in = true;
res.render('site/start', {
title: 'News'
});
}
else {
res.redirect('/');
}
}
);
});
这是一个好方法吗?我可以继续这样吗? sql 查询是否以某种方式转义,或者我必须这样写 我自己的功能?
最后一个问题:我重写了一个网站,我使用了 mysql 数据库。有吗 将其更改为 mongodb 有什么好处吗?
任何帮助将不胜感激
提前致谢
乔治
Im new to node and express and I have a question regarding
using mysql.
I have a login form that posts to '/login'. Im using the node-mysql
module.
app.get('/site', function(req, res){
if (req.session.is_logged_in === true) {
res.render('site/start', {
title: 'News'
});
} else {
res.redirect('/');
}
});
app.post('/login', function(req, res){
client.query('SELECT id, user_name FROM user WHERE email="' + req.body.login + '" AND password="' + Hash.sha1(req.body.password) + '"',
function (err, results, fields) {
if (err) {
throw err;
}
if (results[0]) {
req.session.userInfo = results[0];
req.session.is_logged_in = true;
res.render('site/start', {
title: 'News'
});
}
else {
res.redirect('/');
}
}
);
});
Is this a good way to do it? Can i continue this way?
And are the sql querys escaped in some way, or do i have to write that
functionality myself?
Last question: Im rewriting a site, and i used the mysql db. Are there
any benefits to changing it to mongodb?
Any help would be appreciated
Thanks in advance
George
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
node-mysql Client 对象有一个转义方法可以帮助解决这个问题。您可以手动调用它,也可以使用接受参数的查询形式。例如:
注意使用参数方法实际上并不向mysql提交参数化查询,它只是为你处理参数替换和转义。
顺便说一句,这是转义的作用:
https://github.com/ felixge/node-mysql/blob/master/lib/protocol/SqlString.js#L3
The node-mysql Client object has an escape method that can help with this. You can either call that manually, or use the form of query that accepts parameters. E.g:
Note using the parameter method doesn't actually submit a parameterized query to mysql, it just takes care of the parameter substitution and escaping for you.
BTW, here's what the escape does:
https://github.com/felixge/node-mysql/blob/master/lib/protocol/SqlString.js#L3
您应该首先清理 SQL 查询参数。例如,通过利用 node-validator 模块的功能来防止 SQL 注入攻击。
一般来说,这取决于您网站的功能和其他内容。尝试查看这个问题。
You should sanitize your SQL query parameters first. For example by utilizing functionality of node-validator module in order to prevent SQL injection attacks.
In general it depends on the functionality of your site and other stuff. Try to look at this question.
如果您的站点变得更加复杂,您可能会对使用 ORM 来处理 MySQL 感兴趣。 Sequelize 使用 node-mysql 库并管理以下完整的 sql 内容: http://sequelizejs.com
If your site becomes more complex you might be interested in using an ORM for your MySQL stuff. Sequelize uses the node-mysql lib and manages the complete sql stuff for: http://sequelizejs.com