sql 注入的原理和方法应该都知道了,这里记录一下node-mysql提供的现成的api
https://github.com/felixge/node-mysql
node-mysql 提供了接口
In order to avoid SQL Injection attacks, you should always escape any userprovided data before using it inside a SQL query. You can do so using the mysql.escape(),connection.escape() or pool.escape() methods:
var userId = 'some user provided value';
var sql = 'SELECT * FROM users WHERE id = ' + connection.escape(userId);
connection.query(sql, function(err, results) {
// ...
});