Azure函数应用程序中的SQL注入保护错误

ep6jt1vc  于 2023-08-07  发布在  其他
关注(0)|答案(1)|浏览(100)

我有Azure Function应用程序函数,用于从应用程序到SQL数据库的API调用。我正在尝试使用参数化查询来保护数据库免受SQL注入。我已经能够在SELECT和INSERT这样的查询语句上做到这一点,但我在使用DELETE语句时遇到了麻烦。我一直收到一个500的响应,并显示错误消息**Must declare the scalar variable“@agencyId”.**我正在声明这个变量,所以我不知道为什么它会这样说。有没有人有更好的办法,或者更好的方法?

const userName1 = process.env["DB_USERNAME"];  
const password1 = process.env["DB_PASSWORD"];  
const server1 = process.env["DB_SERVER"];  
const database1 = process.env["DB_NAME"];  
  
module.exports = async function (context, req) {  
    context.log('JavaScript HTTP trigger function processed a request.');  
  
    if (!req.body || !req.body.AGENCY_ID) {  
        context.res = {  
            status: 400,  
            body: "Please provide a valid AGENCY_ID in the request body."  
        };  
        return;  
    }  
  
      const parameters = [  
        { name: 'agencyId', sqlType: sql.Int, value: req.body.AGENCY_ID }  
    ];  
    const query = 'DELETE FROM Agency_Defs WHERE AGENCY_ID = @agencyId;';  

  
    var dbConfig = {  
        server: server1,  
        database: database1,  
        user: userName1,  
        requestTimeout: 600000,  
        password: password1,  
        port: 1433,  
        options: {  
            encrypt: true  
        }  
    };  
  
    try {  
        await sql.connect(dbConfig);  
        const result = await sql.query(query, parameters);  
  
        context.res = {  
            body: result  
        };  
    } catch (error) {  
        context.res = {  
            status: 500,  
            body: error.message  
        };  
    }  
}

字符串

Azure

1条答案

按热度按时间
s71maibg

s71maibg1#

已使用此代码删除Iteams SQL Server

const  sql = require('mssql');
const  config = {
user:  'sampath125',
password:  'Ra@80muravi',
server:  'sampath234',
database:  'sampath',
};
module.exports = async  function  (context,  req)  {
try  {
await  sql.connect(config);
const  {  agencyId  } = req.body;
if (!agencyId) {
context.res = {
status:  400,
body:  'Please provide the agencyId in the request body.',
};
return;
}
const  query = `DELETE FROM Agency_Defs WHERE AGENCY_ID = @agencyId`;
const  request = new  sql.Request();
request.input('agencyId',  sql.Int,  agencyId);
const  result = await  request.query(query);
await  sql.close();
context.res = {
status:  200,
body:  `Deleted ${result.rowsAffected[0]} records successfully!`,
};
}  catch (err) 
{
context.res = {
status:  500,
body:  err.message,
};
}
};

字符串


的数据



使用MSSQL Server:


使用Azure SQL Server:


赞(0)分享  回复(0)举报  2023-08-07
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com