这两个查询之间没有优点,一个查询没有输入参数,而另一个查询有输入参数。
方法1:
const pool = await poolPromise;
const request = await pool.request()
let CustomQuery = `INSERT INTO TableName (LastName, FirstName)
VALUES ('${body.LastName}', '${body.FirstName}'`;
const result = await request.query(CustomQuery);
方法2:使用输入参数
const pool = await poolPromise;
const request = await pool.request()
.input('LastName', TYPES.VarChar, body.LastName)
.input('FirstName', TYPES.VarChar, body.FirstName)
let CustomQuery = `INSERT INTO TableName (LastName, FirstName)
VALUES (@LastName, @FirstName)`
const result = await request.query(CustomQuery);
哪个更安全?
第二个版本更安全,查询字符串是恒定的,因此SQL Server需要解析和验证查询的次数更少,并且显式设置了参数类型。
在以下测试中:
const TDS = require("tedious")
const body = {
LastName: "A",
FirstName: "B"
}
var request = new TDS.Request(
`INSERT INTO TableName (LastName, FirstName)
VALUES ('${body.LastName}', '${body.FirstName}')`);
let parmRequest = new TDS.Request(
`INSERT INTO TableName (LastName, FirstName)
VALUES (@LastName, @FirstName)`);
parmRequest.addParameter('LastName', TDS.TYPES.VarChar, body.LastName)
parmRequest.addParameter('FirstName', TDS.TYPES.VarChar, body.FirstName)
console.log(request);
console.log(parmRequest);
第一个查询只是内插的字符串,不包含任何参数,因此SQL Server每次需要执行该查询并需要对其进行分析和验证时,都会将该查询视为新查询。