我有这个API(带有node.js和mysql):
localhost:4001/api/?id=555,666
localhost:4001/api/?id=555
在选择中,我检查参数是否有逗号(','),如下所示:
...
if (id.includes(",")) {
return `${field} IN (?);`
} else {
return `${field} = ?`
}
...
...得到这样的结果:
SQL: "SELECT * FROM table WHERE id IN (555,666)"
SQL: "SELECT * FROM table WHERE id=555;"
如果我过滤固定值,效果会很好。但是 LIKE 过滤又如何呢?
例如如果我过滤多个名称,我会这样做:
localhost:4001/api/?name=money,invest,stocks
localhost:4001/api/?name=money,invest
localhost:4001/api/?name=money
...
if (name.includes(",")) {
return `${field} IN (?)`
} else {
return `${field} LIKE ?`
}
...
Result:
SQL: "SELECT * FROM table WHERE name IN (money,invest,stocks)"
SQL: "SELECT * FROM table WHERE name IN (money,invest)"
SQL: "SELECT * FROM table WHERE name LIKE money;"
...但我想要的是这样的:
Goal:
SQL: "SELECT * FROM table WHERE name LIKE '%money%' OR name LIKE '%invest%' OR name LIKE '%stocks%';"
SQL: "SELECT * FROM table WHERE name LIKE '%money%' OR name LIKE '%invest%';"
SQL: "SELECT * FROM table WHERE name LIKE money;"
我需要如何更改我的查询?
最佳答案
这是一个示例,但请阅读下面有关 SQL 注入(inject)的注意事项:
var name = "money,invest,stocks";
var str = "SELECT * FROM table WHERE ";
if (name.includes(",")) {
var names = name.split(",");
names.map((o,i)=>{
str += "name LIKE '%"+o+"%' ";
(i==names.length -1)?str += "":str += "OR ";
})
} else{
str += "name LIKE '%"+name+"%' ";
}
console.log(str);
您可以使用 .split()
将字符串转换为数组,并使用 .map()
迭代新数组。
我不知道您使用的是哪个驱动程序,但是如果您像上面的示例一样粘贴查询您的代码会暴露给 SQL Injection ,至prevent this ,你应该使用prepared statements 。因此,如果您在 Nodejs 中使用 mysql 库,示例将类似于:
var name = "money,invest,stocks";
var str = "SELECT * FROM table WHERE ";
if (name.includes(",")) {
var names = name.split(",");
names.map((o,i)=>{
names[i] = '%'+o+'%';
str += "name LIKE ? ";
(i==names.length -1)?str += "":str += "OR ";
})
} else{
str += "name LIKE ? ";
}
console.log(str);//SELECT * FROM table WHERE name LIKE ? OR name LIKE ? OR name LIKE ?
console.log(names);//[ '%money%', '%invest%', '%stocks%' ]
在查询中,您应该将所有参数作为数组(在本例中为名称)传递,如下所示:
connection.query(str,names,function(err,rows){
//connection.release();
if(!err) {
//further code
}
});
关于javascript - Node.js API - 选择逗号分隔字符串中多个值的位置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51117666/