用参数插入nodejs mssql

我是NodeJS的新手,在那里我尝试使用参数插入到表中,这样我就可以避免SQL注入并只转义任何可能引起问题的字符。

因此,我目前有一个无需参数即可插入数据的应用程序。

这是我到目前为止的内容:

var fs = require('fs');

var sql = require('mssql');

var LINQ = require("node-linq").LINQ;

const simpleParser = require('mailparser').simpleParser;

var Client = require('yapople').Client;

var client = new Client({

hostname: 'xxxxxx',

port: 995,

tls: true,

mailparser: true,

username: 'xxxxx',

password: 'xxxxx'

});

const config = {

user: 'xxxxxxx',

password: 'xxxxx',

server: 'xxxxx\\',

port: 'xxxxx'

database: 'xxxxxx',

options: {

instanceName: 'xxxxx'

}

};

(async function () {

try {

let pool = await sql.connect(config)

//Get all current emails

let emails = await pool.request()

.query('select uid from email')

//Get uids only

var uids = new LINQ(emails.recordset)

.Select(function(email) {return email.uid;})

.ToArray();

//Get all emails

client.connect(function() {

client.retrieveAll(function(err, messages) {

messages.forEach(function(message) {

//Check if the message exists in our database already.

var messageId = message.messageId;

var emailExists = new LINQ(uids)

.Where(x=>x == messageId).ToArray();

//If the message do not exists then add them to the database

if(emailExists.length == 0){

var sentDate = new Date(message.date).toISOString();

var subject = message.subject;

var body = message.text;

var mailAddress = "";

var mailAddressName = "";

if(message.from.length > 0){

mailAddress = message.from[0].address;

mailAddressName = message.from[0].name;

}

const request = pool.request();

request.input('uid', sql.VarChar, messageId);

request.input('mail_address', sql.VarChar, mailAddress);

request.input('mail_address_display_name', sql.VarChar, mailAddressName);

request.input('subject', sql.VarChar, subject);

request.input('body', sql.VarChar, body);

request.input('sent_date', sql.DateTime, sentDate);

request.input('created_by', sql.VarChar, 'system');

let result = await request.query('INSERT INTO email(uid, mail_address, mail_address_display_name, subject, body, sent_date, created_by) OUTPUT INSERTED.ID values (@uid, @mail_address, @mail_address_display_name, @subject, @body, @sent_date, @created_by)', (err, result) => {

console.dir(result)

})

}

});

client.quit();

})

});

} catch (err) {

console.log(err);

// ... error checks

}

})()

我正在查看准备好的语句,但无法正常工作。

这是我尝试使用准备好的语句的结果

const ps = new sql.PreparedStatement();

ps.input('uid', TYPES.VarChar);

ps.input('mail_address', TYPES.VarChar);

ps.input('mail_address_display_name', TYPES.VarChar);

ps.input('subject', TYPES.VarChar);

ps.input('body', TYPES.VarChar);

ps.input('sent_date', TYPES.DateTime);

ps.input('created_by', TYPES.VarChar);

ps.prepare('INSERT INTO email(uid, mail_address, mail_address_display_name, subject, body, sent_date, created_by) ' +

' OUTPUT INSERTED.email_id VALUES (@uid, @mail_address, @mail_address_display_name, @subject, @body, @sent_date, @created_by)',

err => {

ps.execute({uid: messageId,

mail_address: mailAddress,

mail_address_display_name:mailAddressName,

subject: subject,

body: body,

sent_date: sentDate,

created_by: 'system'

}, (err, result) => {

// ... error checks

ps.unprepare(err => {

var x =1;

})

})

})

回答:

您可以使用连接池请求对象添加参数,例如

const request = pool.request()

request.input('myval', sql.VarChar, 'value')

request.query('insert into testtable (somecolumn) values (@myval)', (err, result) => {

console.dir(result)

})

以上是 用参数插入nodejs mssql 的全部内容, 来源链接: utcz.com/qa/417320.html

回到顶部