The most typical SQL injection
Closed this issue · 1 comments
kekonen commented
The most typical SQL injection
If you update something and set a string which contains '
the application will crash. You can also easily exploit it.
In any case it makes no use for '
in an app.
sh: ^2.0.1
pg: 11.2
Reproduce:
this.voices = this.db.service({
table: 'voices',
primaryKey: 'id'
});
const title = `'something', "password" = 'pizza123'`
this.db.update('voices')
.set('file_id_cached', file_id_cached)
.set('size', size)
.set('title', title)
.set('active', true)
.where('id', id)
.returning('*')
.build()
Produces which SQL code which has an injection
UPDATE "voices" SET "file_id_cached" = 'my file id', "size" = 913, "title" = 'something', "password" = 'pizza123', "active" = true WHERE "id" = '5' RETURNING *
I have DB
CREATE TABLE voices (
id SERIAL PRIMARY KEY,
password VARCHAR(40) NOT NULL,
file_id_cached VARCHAR(40),
hash_sha256 VARCHAR(64),
owner_id INTEGER NOT NULL,
title VARCHAR(90),
duration INTEGER,
size INTEGER,
active BOOLEAN NOT NULL DEFAULT 'f',
used INTEGER NOT NULL DEFAULT 0
);
I expected
UPDATE "voices" SET "file_id_cached" = 'my file id', "size" = 913, "title" = `'something', "password" = 'pizza123'`, "active" = true WHERE "id" = '5' RETURNING *
lorenzofox3 commented
if you wish to prevent sql injection you should use parameterized queries
const title = `'something', "password" = 'pizza123'`;
const query = update("voices")
.set("title", "$title")
.returning("*")
.build({
title
});
If you still see a problem, let me know