javascript - Node.js API - 选择逗号分隔字符串中多个值的位置

Question

我有这个API(带有node.js和mysql):

localhost:4001/api/?id=555,666
localhost:4001/api/?id=555

在选择中，我检查参数是否有逗号(',')，如下所示:

...
if (id.includes(",")) {     
    return `${field} IN (?);` 
} else {
    return `${field} = ?`
} 
...

...得到这样的结果:

SQL: "SELECT * FROM table WHERE id IN (555,666)"
SQL: "SELECT * FROM table WHERE id=555;"

如果我过滤固定值，效果会很好。但是 LIKE 过滤又如何呢？

例如如果我过滤多个名称，我会这样做:

localhost:4001/api/?name=money,invest,stocks
localhost:4001/api/?name=money,invest
localhost:4001/api/?name=money

...
if (name.includes(",")) {       
    return `${field} IN (?)` 
} else {
    return `${field} LIKE ?`
} 
...

Result:

SQL: "SELECT * FROM table WHERE name IN (money,invest,stocks)"  
SQL: "SELECT * FROM table WHERE name IN (money,invest)"
SQL: "SELECT * FROM table WHERE name LIKE money;"   

...但我想要的是这样的:

Goal:

SQL: "SELECT * FROM table WHERE name LIKE '%money%' OR name LIKE '%invest%' OR name LIKE '%stocks%';"   
SQL: "SELECT * FROM table WHERE name LIKE '%money%' OR name LIKE '%invest%';"
SQL: "SELECT * FROM table WHERE name LIKE money;"

我需要如何更改我的查询？

Answer 1

这是一个示例，但请阅读下面有关 SQL 注入(inject)的注意事项:

var name = "money,invest,stocks";

var str = "SELECT * FROM table WHERE ";

if (name.includes(",")) {  
  var names = name.split(",");
  names.map((o,i)=>{
    str += "name LIKE '%"+o+"%' ";
   (i==names.length -1)?str += "":str += "OR ";

  }) 
} else{
  str += "name LIKE '%"+name+"%' ";
}

console.log(str);

您可以使用 .split() 将字符串转换为数组，并使用 .map() 迭代新数组。

<小时/>

我不知道您使用的是哪个驱动程序，但是如果您像上面的示例一样粘贴查询您的代码会暴露给 SQL Injection ，至prevent this ，你应该使用prepared statements 。因此，如果您在 Nodejs 中使用 mysql 库，示例将类似于:

var name = "money,invest,stocks";

var str = "SELECT * FROM table WHERE ";

if (name.includes(",")) {  
  var names = name.split(",");
  names.map((o,i)=>{
    names[i] = '%'+o+'%'; 
    str += "name LIKE ? ";
   (i==names.length -1)?str += "":str += "OR ";

  }) 
} else{
  str += "name LIKE ? ";
}

console.log(str);//SELECT * FROM table WHERE name LIKE ? OR name LIKE ? OR name LIKE ?
console.log(names);//[ '%money%', '%invest%', '%stocks%' ]

在查询中，您应该将所有参数作为数组(在本例中为名称)传递，如下所示:

connection.query(str,names,function(err,rows){
    //connection.release();
    if(!err) {
      //further code
      }
    });