Do es6 template literals protect against sql injection?

2018-07-03 16:21:32

Do es6 template literals, when used to construct queries, protect against SQL injection? Can you provide some examples of common attacks and how they would be mitigated?

More specifically, I plan to use the mssql module in a node project. In their documentation under the template literals section it says "All values are automatically sanitized against SQL injection". Is this true purely because of how ES6 template literals work?

不，ES6模板文字只是构建字符串的另一种方式，如果要使用它们从所提供的用户输入构建原始SQL查询而不进行其他过滤/转义，则不会保护您免受SQL注入的影响：

let name = "Robert'; DROP TABLE Students;--"; // user supplied input

let sql = `SELECT * FROM Students WHERE name = '${name}'`; // build query...

console.log(sql); // Injected SQL!

链接地址: http://www.djcxy.com/p/93834.html

上一篇: 选择当前表的列名

下一篇: es6模板文字是否可以防止sql注入？