使用 node/js/MySQL 工作台将变量传递给查询字符串

Question

问题：将变量传递到插入语句时，我的数据库中收到了一个空插入。变量是 firstName、lastName、email、passW。

我所知道的：我知道我正在取回用户输入表单数据。我正在安慰它们在插入语句之前存储的变量，该语句起作用并将表单数据打印到控制台。当表单在网页上提交时，它存储了“firstName”、“LastName”、“email”、“passW”这些都是变量。但是当我将它们传递给 MySQL Workbench 时，它们会以 null 的形式发布。我的结论是变量没有被正确传递，但是当我尝试来自这个页面和其他页面的建议时，它会抛出一个语法错误，即 SQL 的语法不正确。如果您需要我不提供或需要我发布测试结果的信息，我会尽可能多地添加信息，LMK。

代码

var express = require("express");
var http = require("http");
var mysql = require("mysql");
var express = require("express");
var path = require("path");

var app = express();
var PORT = 3001;

// Sets up the Express app to handle data parsing
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public'))); // testing
app.use(express.json());
app.use("/assets", express.static("assets"))


// home page route
app.get("/", function(req, res) {
    res.sendFile(path.join(__dirname, "index.html"));
  });
// create account route
app.get("/create", function(req, res) {
  res.sendFile(path.join(__dirname, "create.html"))
});
// login route
app.get("/login", function(req, res) {
  res.sendFile(path.join(__dirname, "login.html"))
});


// DB Connection
var connection = mysql.createConnection({
  host: "localhost",
  user: "root",
  password: "",
  database: "sportsCorner",
  port: 3306,
});
// connection response 
connection.connect(function (err) {
  console.log("SQL connected as id " + connection.threadId)
});  


// Takes the data from our login form
app.post('/handler', function (req, res) {


  // user input from the forms
  var firstName = req.body.firstName;
  var lastName = req.body.lastName;
  var email = req.body.email;
  var passW = req.body.password;

  // testing our responses stored in the variables 
  console.log("F: " + firstName, "L: " + lastName, "E: " + email, "P: " + passW)

  connection.query("INSERT INTO loginInfo VALUES(firstName, lastName, email, passW)", function (err, res) {
    if (err) throw err;
    console.log("Inserted ...")
  });

  // Getting login info from DB
  connection.query('SELECT * from loginInfo', function (err, res) {
    if (err) throw err;
    console.log(res)
    console.log("Response ...")
  })
});


// Start Server
app.listen(PORT, function() {
  console.log("Server listening on: http://localhost:" + PORT);
});
   </script>

<HTML> (FORM)
 <form method="POST" action="/handler">
   <input type="text" name="firstName" placeholder="First Name">
   <input type="text" name="lastName" placeholder="Last Name">
   <input type="email" name="email" placeholder="Email">
   <input type="password" name="password" placeholder="Password">
   <input type="submit" />
 </form>
</HTML>

提前感谢您的帮助

Answer 1

将其用作插入查询

var sql = `INSERT INTO loginInfo 
            VALUES
            (
                ?, ?, ?, ?
            )`;
connection.query(sql, [firstName, lastName, email, passW], function (err, res) {
    if (err) throw err;
    console.log("Inserted ...")
  });

Answer 2

尝试改变这一点：

connection.query("INSERT INTO loginInfo VALUES(firstName, lastName, email, passW)", function (err, res) {
    if (err) throw err;
    console.log("Inserted ...")
  });

对此：

 connection.query(`INSERT INTO loginInfo VALUES('${firstName}', '${lastName}', '${email}', '${passW}')`, function (err, res) {
    if (err) throw err;
    console.log("Inserted ...")
  });

Answer 3

您好，您的代码已调试如下

var express = require("express");
var http = require("http");
var mysql = require("mysql");
var express = require("express");
var path = require("path");

var app = express();
var PORT = 3001;

// Sets up the Express app to handle data parsing
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public'))); // testing
app.use(express.json());
app.use("/assets", express.static("assets"))


// home page route
app.get("/", function (req, res) {
    res.sendFile(path.join(__dirname, "index.html"));
});
// create account route
app.get("/create", function (req, res) {
    res.sendFile(path.join(__dirname, "create.html"))
});
// login route
app.get("/login", function (req, res) {
    res.sendFile(path.join(__dirname, "login.html"))
});


// DB Connection
let connection = mysql.createConnection({
    host: "localhost",
    user: "root",
    password: "root",
    database: "sportsCorner",
    port: 3306
});

// connection response 
connection.connect(function (err) {
    if (err) throw err;
    console.log("Connected to MySQL database!");
});

// Takes the data from our login form
app.post('/handler', function (req, res) {


    // user input from the forms
    var firstName = req.body.firstName;
    var lastName = req.body.lastName;
    var email = req.body.email;
    var passW = req.body.password;

    // testing our responses stored in the variables 
    console.log("F: " + firstName, "L: " + lastName, "E: " + email, "P: " + passW)

    let queryAddUser = `INSERT INTO loginInfo (firstName, lastName, email, passW) \
        VALUES (?, ?, ?, ?)`;

    // Protect your query from SQL attacks
    let preparedQuery = connection.format(queryAddUser, [firstName, lastName, email, passW]);

    // Execute the query
    connection.query(preparedQuery, function (error, result) {
        if (error) throw error;
        console.log('QUERY ADD NEW USER EXECUTED SUCCESSFULLY', result);
    });

    // Query count users
    let queryCountUsers = "SELECT count(*) as totalUsers FROM `loginInfo`";

    // Execute the query
    connection.query(queryCountUsers, function (error, result) {
        if (error) throw error;
        console.log('QUERY queryCountUsers EXECUTED SUCCESSFULLY', result);
    });
});


// Start Server
app.listen(PORT, function () {
    console.log("Server listening on: http://localhost:" + PORT);
});

我添加了准备查询语句 connection.format() 以防止 SQL 注入攻击。