春哥,我最近根据你的 LuaRestyMySQLLibrary 模块开发一个lua读取mysql的应用
在网上搜到你说ngx.quote_sql_str这个函数能防止sql注入
我是这么使用的,代码片段如下
local my_temp_sql = "select * from test limit 1"
ngx.say("my_temp_sql",my_temp_sql) --输出select * from test limit 1
local my_sql = ngx.quote_sql_str(my_temp_sql)
ngx.say("my_sql",my_sql) --输出'select * from test limit 1'
res, err, errno, sqlstate = db:query(my_sql)
if not res then
ngx.log(ngx.ERR,"bad result: ", err, ": ", errno, ": ", sqlstate, ".")
return
end
发现经过ngx.quote_sql_str函数后,会在字符串的两端加上 单引号‘
ngx.log这行打印出错误
bad result: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'select * from test limit 1 ' ' at line 1: 1064: 42000
这个怎么回事呢?