Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defending against SQL injection? #57

Closed
cmundi opened this issue Jan 21, 2012 · 2 comments
Closed

Defending against SQL injection? #57

cmundi opened this issue Jan 21, 2012 · 2 comments

Comments

@cmundi
Copy link

cmundi commented Jan 21, 2012

I'm looking for some guidance on preventing SQL injection attacks, specifically with node-sqlite3.

For example, will using

Database#prepare(sql, [param, ...], [callback])

protect against SQL injection?

Thanks.
@kkaefer
Copy link
Contributor

kkaefer commented Jan 21, 2012

SQLite protects you against SQL injections if you specify user-supplied data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as input data and it does not interfere with parsing the actual SQL statement.

@kkaefer kkaefer closed this as completed Jan 21, 2012
@cmundi
Copy link
Author

cmundi commented Jan 21, 2012

Thanks. I hoped so. I did not want to assume that "prepare" in
node-sqlite3 means thevsamw thing as sqlite3_prepare in the sqlite libs. I
should stop being lazy and just look at the source. :) Thanks!
On Jan 21, 2012 3:08 AM, "Konstantin Kfer" <
reply@reply.github.com>
wrote:

SQLite protects you against SQL injections if you specify user-supplied
data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: `db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as
input data and it does not interfere with parsing the actual SQL statement.

Reply to this email directly or view it on GitHub:

#57 (comment)

Efreak pushed a commit to Efreak/node-infobot that referenced this issue Jun 10, 2014
Sanitize SQL
2abe8f7 
node-sqlite automatically sanitizes when you do this. YAY! See
TryGhost/node-sqlite3#57 for details.
@Mithgol Mithgol mentioned this issue Jul 4, 2014
Closed
@hitanshup hitanshup mentioned this issue Jan 19, 2017
Merged
AnnAddicks added a commit to AnnAddicks/electron-sqlite-example that referenced this issue Aug 9, 2017
@AnnAddicks
Switch string concatenation to placeholders.
7f6b343 
The current method is open to SQL injection attacks, see: TryGhost/node-sqlite3#57
@AnnAddicks AnnAddicks mentioned this issue Aug 9, 2017
Merged
StevenSong added a commit to JumboCode/E4P that referenced this issue Jan 30, 2019
@StevenSong
cleanup
6b83f2a 
interestingly enough, apparently theres no need to prepare statements as parametizing inputs seems to be good enough re: TryGhost/node-sqlite3#57
@jpchip jpchip mentioned this issue May 9, 2019
Closed
@Benjamin-Davies Benjamin-Davies mentioned this issue Sep 26, 2019
Open
@benetherington benetherington mentioned this issue Feb 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kkaefer @cmundi