问题
There is little documentation on prepared statements in luaSQL. So i tried to put together some code to use prepared statements in LuaSQL. Unfortunately it's not working.
(I'm using a mysql database)
luasql = require "luasql.mysql"
env = assert (luasql.mysql())
con = assert (env:connect("database","user","password","localhost"))
name = "insert_sql_injection_code_here"
query= "INSERT INTO `table`(`text`) VALUES ('"..name.."')"
cur = assert (con:execute(query))
-- As you can see, query is vulnerable to SQLinjection. Fix: use prepared statements:
smtp = assert(con:prepare("insert into settings (text) values(:p_name)"))
con:bind_names({p_name=name})
cur = assert (con:execute())
Gives the output:
lua: test.lua:8: attempt to call method 'prepare' (a nil value)
Has anyone a working example of prepared statements in Lua with LuaSQL?
来源:https://stackoverflow.com/questions/32670262/prepared-statements-for-lua-with-luasql