问题描述
我正在尝试运行一个简单的网站,并遇到以下反引号错误
I'm trying to run a simple website, and encountered an following backtick error
`INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
^^^^^^
SyntaxError: Unexpected identifier
at Object.exports.runInThisContext (vm.js:78:16)
at Module._compile (module.js:543:28)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:420:7)
at startup (bootstrap_node.js:139:9)
at bootstrap_node.js:535:3
这是代码
app.put('/problems', function(req, res) {
pool.getConnection(function(err, connection) {
var p_list = new Array(4);
var qid = mysql.escape(req.body.qid);
var uid = mysql.escape(req.body.uid);
var question = mysql.escape(req.body.question);
var difficulty = mysql.escape(req.body.difficulty);
var cid = mysql.escape(req.body.cid);
var choices = req.body.choices;
var answer = mysql.escape(req.body.answer);
var explanation = mysql.escape(req.body.explanation);
var qid_choice = ``;
choices.forEach( choice => {
choice = mysql.escape(choice);
qid_choice += "("+qid+", "+choice+"),";
} );
qid_choice = qid_choice.slice(0,-1);
var queries = [
`INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},${uid},${question},${difficulty},${cid})`,
`INSERT INTO questionInfo(qid) VALUES(${qid})`,
`INSERT INTO choices(qid, choice) VALUES ${qid_choice}`,
`INSERT INTO solutions(qid, answer, explanation) VALUES(${qid},${answer},${explanation})`
];
for (let i=0; i<4; i++) {
p_list[i] = new Promise(function(resolve, reject) {
connection.query(
queries[i],
err => {
if (err) reject(err);
else resolve();
}
);
});
}
Promise.all(p_list).then(function() {
connection.release();
console.log(`[200] ${req.method} to ${req.url}`);
res.end();
}, function(err) {
connection.release();
console.log(`[500] ${req.method} to ${req.url} because ${err}`);
})
});
});
我正在使用节点版本7.3.0
I'm using node version 7.3.0
我不知道为什么会发生此错误...太令人沮丧了
I have no idea why this error occurred... It's too frustrating
感谢您阅读:)
推荐答案
SQL注入警报
您的整个代码是一个很大的 SQL注入漏洞,正在被利用.如今很少有可利用的SQL注入漏洞,但是在这里每个参数都有它.
SQL Injection Alert
Your entire code is a one big SQL injection vulnerability waiting be exploited. It's pretty rare to have exploitable SQL injection vulnerability this days but here you have it in every parameter.
connection.query(
`INSERT INTO questionInfo(qid) VALUES(${qid})`,
err => {
// ...
}
);
或:
connection.query(
'INSERT INTO questionInfo(qid) VALUES(' + qid + ')',
err => {
// ...
}
);
总是这样做
connection.query(
'INSERT INTO questionInfo(qid) VALUES(?)',
qid,
err => {
// ...
}
);
您的问题
看着您的问题,似乎是您的反引号不平衡或您在Node中发现了一个错误.很难说出更多的信息,因为您没有发布重现您问题的最小示例,而是发布了路由处理程序的不完整部分,如果不删除该部分,就无法运行.
Your problem
Looking at your problem it seems that either you have unbalanced backticks or you found a bug in Node. It's hard to tell anything more because instead of posting a minimal example that reproduces your problem, you posted an incomplete part of your route handler that cannot be even run without the parts that you removed.
但是您应该对反引号出现问题表示感谢,因为如果没有反引号,您将什至不知道您的代码有多不安全.我什至不记得我上次看到带有SQL注入漏洞的代码了.自从我上次将某人介绍给该漫画以来已经有好几年了:
But you should be grateful that you got the problem with backticks because without it you would never even know how insecure your code is. I can't even remember when I last saw a code with SQL injection vulnerability. It's been years since I last referred someone to this comic strip:
请阅读:
- https://en.wikipedia.org/wiki/SQL_injection
- http://www.beyondsecurity.com/about-sql-injection.html
- http://projects.webappsec.org/w/page/13246963 /SQL%20Injection
- http://bobby-tables.com/
- https://en.wikipedia.org/wiki/SQL_injection
- http://www.beyondsecurity.com/about-sql-injection.html
- http://projects.webappsec.org/w/page/13246963/SQL%20Injection
- http://bobby-tables.com/
请记住,切勿使用反引号将未经处理的数据插入任何字符串,尤其是SQL.
And remember to never use backticks to insert unsanitized data to any string, especially SQL.
这篇关于使用nodejs 7.3.0时无法使用反引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!