英文:
How to specify "greater than" parameter in an API call to an AWS Lambda (set with AWS SAM and with a MySQL DB)
问题
我在尝试允许除了等于(=)之外的比较条件时遇到了问题。
我有一个获取函数,允许我根据特定条件从我的数据库中检索所有行,例如:
GET http://127.0.0.1:3000/package?size=10
但是我想要使用大于的条件获取它们,像这样:
GET http://127.0.0.1:3000/package?size>8
但是这样做时,我收到错误消息“在'where子句'中的未知列'size>8'”,因为无法解析>,只能解析等于(=)。这是由于事件解析导致的,它在我的事件变量中给了我"queryStringParameters": {"size>8": ""},而第一个给了我"queryStringParameters": {"size": "10"},生成以下MySQL查询:
SELECT * FROM `package` WHERE `size>8` = ''
而不是
SELECT * FROM `package` WHERE `size` > 8
你知道我如何配置我的环境以获取正确的事件变量吗?我认为这与我的template.yaml文件有关,但我找不到位置(也许在RequestParameters中?)。
英文:
I'm having trouble in trying to allow comparison criteria other than = in my function.
I have a get function that allows me to retrieve all rows from my DB given specific criteria, for example :
GET http://127.0.0.1:3000/package?size=10
But I want to get them with a greater than criteria, like :
GET http://127.0.0.1:3000/package?size>8
But when doing so, I get the error "Unknown column 'size>8' in 'where clause'" because the > can't be parsed, only the = can be. It is due to the event parsing that gives me "queryStringParameters":{"size>8":""} in my event variable, when the first one gives me "queryStringParameters":{"size":"10"}, generating the following MySQL query
SELECT * from `package` WHERE `size>8`=''
Instead of
SELECT * from `package` WHERE `size`>8
Do you know how I can configure my environment in order to get the correct event variable ? I think it's related to my template.yaml file but I cant find where (maybe in the RequestParameters ?).
答案1
得分: 0
由于SQL注入攻击,直接从API客户端获取SQL操作符是不安全的。可以改进安全性的一种方法是在API上添加另一个参数,用于接受您想要执行的操作(eq,neq,gt,lt,lte,gte):
# Size = 10 (eq -> =)
GET http://127.0.0.1:3000/package?op=eq&size=10
# Size > 10 (gt -> >)
GET http://127.0.0.1:3000/package?op=gt&size=10
# Size < 10 (lt -> <)
GET http://127.0.0.1:3000/package?op=lt&size=10
您可以使用TypeScript编写类似以下的代码来实现:
const opsMap = new Map<string, string>();
opsMap.set("eq", "SELECT * from `package` WHERE `size` = ");
opsMap.set("gt", "SELECT * from `package` WHERE `size` > ");
opsMap.set("lt", "SELECT * from `package` WHERE `size` < ");
function getQuery(op: string, size: number) : string {
if (opsMap.has(op)) {
return opsMap.get(op) + size.toString();
}
throw new Error("Unknown operator");
}
英文:
Its unsafe to take SQL operators directly from API clients due to SQL injection attacks. One approach that could improve your security posture is to add another parameter on your API to accept the operation you'd like to perform (eq, neq, gt, lt, lte, gte):
# Size = 10 (eq -> =)
GET http://127.0.0.1:3000/package?op=eq&size=10
# Size > 10 (gt -> >)
GET http://127.0.0.1:3000/package?op=gt&size=10
# Size < 10 (lt -> <)
GET http://127.0.0.1:3000/package?op=lt&size=10
You can do this in typescript by writing something that looks like:
const opsMap = new Map<string, string>();
opsMap.set("eq", "SELECT * from `package` WHERE `size` = ");
opsMap.set("gt", "SELECT * from `package` WHERE `size` > ");
opsMap.set("lt", "SELECT * from `package` WHERE `size` < ");
function getQuery(op: string, size: number) : string {
if (opsMap.has(op)) {
return opsMap.get(op) + size.toString();
}
throw new Error("Unknown operator");
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论