Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defending against SQL injection? #57

Closed
cmundi opened this issue Jan 21, 2012 · 2 comments
Closed

Defending against SQL injection? #57

cmundi opened this issue Jan 21, 2012 · 2 comments

Comments

@cmundi
Copy link

cmundi commented Jan 21, 2012

I'm looking for some guidance on preventing SQL injection attacks, specifically with node-sqlite3.

For example, will using

Database#prepare(sql, [param, ...], [callback])

protect against SQL injection?

Thanks.

@kkaefer
Copy link
Contributor

kkaefer commented Jan 21, 2012

SQLite protects you against SQL injections if you specify user-supplied data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as input data and it does not interfere with parsing the actual SQL statement.

@kkaefer kkaefer closed this as completed Jan 21, 2012
@cmundi
Copy link
Author

cmundi commented Jan 21, 2012

Thanks. I hoped so. I did not want to assume that "prepare" in
node-sqlite3 means thevsamw thing as sqlite3_prepare in the sqlite libs. I
should stop being lazy and just look at the source. :) Thanks!
On Jan 21, 2012 3:08 AM, "Konstantin Kfer" <
reply@reply.github.com>
wrote:

SQLite protects you against SQL injections if you specify user-supplied
data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: `db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as
input data and it does not interfere with parsing the actual SQL statement.


Reply to this email directly or view it on GitHub:

#57 (comment)

Efreak pushed a commit to Efreak/node-infobot that referenced this issue Jun 10, 2014
node-sqlite automatically sanitizes when you do this. YAY! See
TryGhost/node-sqlite3#57 for details.
AnnAddicks added a commit to AnnAddicks/electron-sqlite-example that referenced this issue Aug 9, 2017
The current method is open to SQL injection attacks, see: TryGhost/node-sqlite3#57
StevenSong added a commit to JumboCode/E4P that referenced this issue Jan 30, 2019
interestingly enough, apparently theres no need to prepare statements as parametizing inputs seems to be good enough re: TryGhost/node-sqlite3#57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants