问题描述

这可能有一个非常简单的答案，但我没有看到它。

This probably has a really easy answer but I'm not seeing it.

我想做一个使用Sequelize：

I want to do a raw query using Sequelize:

var sequelize = require('sequelize');
sequelize
   .query("LOAD DATA LOCAL INFILE :file
           INTO TABLE :table
           FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
          null,
          {raw:true},
          {file: datasetPath, table: "dataset_" + datasetName})

问题是替换字符串包含：file 替换的单引号（这是好，因为它是一个路径）和：table 替换（这很糟糕，因为它应该是一个简单的表名，并打破查询。）我如何避免这些在表名替换的情况下报价？

The issue is that the replacement string includes single quotes for both the :file replacement (which is good because it's a path) and the :table replacement (which is bad because it's just supposed to be an unadorned table name, and breaks the query). How do I avoid those quotes in the case of the table name replacement?

谢谢。

推荐答案

如果您确定 datasetName 永远不会包含任何SQL注入的可能性，您可以直接将表名插入查询中，如下所示：

If you're sure that datasetName will never contain any possibility of SQL injections, you can directly insert the table name into the query, like so:

sequelize
   .query("LOAD DATA LOCAL INFILE :file
           INTO TABLE dataset_" + datasetName + "
           FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';",
          null,
          {raw:true}, {file: datasetPath})

mwarren发布的评论在这种情况下确实不起作用 - Sequelize看到它是一个插入的字符串，因此逃脱了它。

The comment posted by mwarren doesn't really really work in this case - Sequelize is seeing that it is a string being inserted, and accordingly escapes it.

这篇关于使用原始Sequelize查询替换：避免使用单引号？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！