一、安全
- 对于安全,如下所示:
sql
注入:窃取数据库内容XSS
攻击:窃取前端的 cookie
内容- 密码加密:保障用户信息安全
server
端攻击方式非常多,预防手段也非常多nodejs
可以通过 web server
层面预防- 有些攻击需要硬件和服务来支持,需要
OP
支持,如 DDOS
二、sql 注入
sql
注入,如下所示:
- 最原始、最简单的攻击,从有了
web2.0
就有了 sql
注入攻击 - 攻击方式:输入一个
sql
片段,最终拼接成一段攻击代码 - 预防措施:使用
MySQL
的 escape
函数处理输入内容即可
sql
注入在 nodeJS
项目中的应用,如下所示:
const env = process.env.NODE_ENV
let MYSQL_CONF
let REDIS_CONF
if (env === 'dev') {
MYSQL_CONF = {
host: 'localhost',
user: 'root',
password: '123456',
port: '3306',
database: 'nodeblog'
}
REDIS_CONF = {
port: 6379,
host: '127.0.0.1'
}
}
if (env === 'product') {
MYSQL_CONF = {
host: 'localhost',
user: 'root',
password: '123456',
port: '3306',
database: 'nodeblog'
}
REDIS_CONF = {
port: 6379,
host: '127.0.0.1'
}
}
module.exports = {
MYSQL_CONF,
REDIS_CONF
}
const mysql = require('mysql')
const { MYSQL_CONF } = require('../config/db')
const con = mysql.createConnection(MYSQL_CONF)
con.connect()
function exec (sql) {
const promise = new Promise((resolve, reject) => {
con.query(sql, (err, result) => {
if (err) {
reject(err)
return
}
resolve(result)
})
})
return promise
}
module.exports = {
exec,
escape: mysql.escape
}
const { exec, escape } = require('../db/mysql')
const login = (username, password) => {
username = escape(username)
password = escape(password)
const sql = `select username, realname from users where username=${username} and password=${password};`
return exec(sql).then(rows => {
return rows[0] || {}
})
}
module.exports = {
login
}
三、XSS 攻击
XSS
攻击,如下所示:
- 攻击方式:在页面展示内容中掺杂
js
代码,以获取网页信息 - 预防措施:转换生成
js
的特殊字符
XSS
攻击在 nodeJS
项目的应用,如下所示:
- 通过
npm i xss --save
命令下载 xss
模块 - 在
blog.js
中,代码如下所示:
const xss = require('xss')
const title = xss(blogData.title)
const { exec } = require('../db/mysql')
const xss = require('xss')
const getList = (author, keyword) => {
let sql = `select * from blogs where 1=1 `
if (author) {
sql += `and author='${author}' `
}
if (keyword) {
sql += `and title like '%${keyword}%' `
}
sql += `order by createtime desc;`
return exec(sql)
}
const getDetail = (id) => {
const sql = `select * from blogs where id='${id}'`
return exec(sql).then(rows => {
return rows[0]
})
}
const newBlog = (blogData = {}) => {
const title = xss(blogData.title)
const content = xss(blogData.content)
const author = blogData.author
const createtime = Date.now()
const sql = `insert into blogs (title, content, createtime, author)
values ('${title}', '${content}', ${createtime}, '${author}');`
return exec(sql).then(insertData => {
console.log('insertData is ', insertData)
return {
id: insertData.insertId
}
})
}
const updateBlog = (id, blogData = {}) => {
const title = xss(blogData.title)
const content = xss(blogData.content)
const sql = `update blogs set title='${title}', content='${content}' where id=${id}`
return exec(sql).then(updateData => {
console.log('updateData is', updateData)
if (updateData.affectedRows > 0) {
return true
}
return false
})
}
const deleteBlog = (id, author) => {
const sql = `delete from blogs where id=${id} and author='${author}';`
return exec(sql).then(delData => {
if (delData.affectedRows > 0) {
return true
}
return false
})
}
module.exports = {
getList,
getDetail,
newBlog,
updateBlog,
deleteBlog
}
四、密码加密
- 密码加密,如下所示:
- 万一数据库被用户攻破,最不该泄露的就是用户信息
- 攻击方式:获取用户名和密码,再去尝试登陆其他系统
- 预防措施:将密码加密,即便拿到密码也不知道明文
- 密码加密在
nodeJS
项目中的应用,如下所示:
const crypto = require('crypto')
const SECRET_KEY = 'Wzs_sd274#'
function md5(content) {
let md5 = crypto.createHash('md5')
return md5.update(content).digest('hex')
}
function genPassword(password) {
const str = `password=${password}&key=${SECRET_KEY}`
return md5(str)
}
module.exports = {
genPassword
}
const { exec, escape } = require('../db/mysql')
const { genPassword } = require('../utils/cryp')
const login = (username, password) => {
username = escape(username)
password = genPassword(password)
password = escape(password)
const sql = `select username, realname from users where username=${username} and password=${password};`
return exec(sql).then(rows => {
return rows[0] || {}
})
}
module.exports = {
login
}