Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does Knex.js prevent sql injection?

I'm using a MySql database and was trying to find a MySQL alternative to tedious.js (a SQL server parameterised query builder).I'm using Node.js for my backend.

I read that the .raw() command from knex.js is susceptible to sql injection, if not used with bindings. But are the other commands and knex.js as a whole safe to use to prevent sql injection? Or am I barking up the wrong tree?

like image 810
Harsh Saudagar Avatar asked Apr 05 '18 05:04

Harsh Saudagar


People also ask

Is KNEX safe from SQL injection?

Read carefully from knex documentation how to pass values to knex raw (http://knexjs.org/#Raw). In that case parameters and query string are passed separately to database driver protecting query from SQL injection. Other query builder methods always uses binding format internally so they are safe too.

What prevents SQL injection?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

Why should I use KNEX?

Knex allows us to create queries using Javascript syntax. It will then translate our syntax into the appropriate SQL for each supported database. Knex supports many popular relational databases like Postgresql, MySQL, SQLite, and others.

Does HTML encode prevent SQL injection?

The single character that enables SQL injection is the SQL string delimer ' , also known as hex 27 or decimal 39. This character is represented in the same way in SQL and in HTML. So an HTML encode does not affect SQL injection attacks at all.


1 Answers

Read carefully from knex documentation how to pass values to knex raw (http://knexjs.org/#Raw).

If you are passing values as parameter binding to raw like:

knex.raw('select * from foo where id = ?', [1]) 

In that case parameters and query string are passed separately to database driver protecting query from SQL injection.

Other query builder methods always uses binding format internally so they are safe too.

To see how certain query is passed to database driver one can do:

knex('foo').where('id', 1).toSQL().toNative() 

Which will output SQL string and bindings that are given to driver for running the query (https://runkit.com/embed/2yhqebv6pte6).

Biggest mistake that one can do with knex raw queries is to use javascript template string and interpolate variables directly to SQL string format like:

knex.raw(`select * from foo where id = ${id}`) // NEVER DO THIS  

One thing to note is that knex table/identifier names cannot be passed as bindings to driver, so with those one should be extra careful to not read table / column names from user and use them without properly validating them first.

Edit:

By saying that identifier names cannot be passed as bindings I mean that when one is using ?? knex -binding for identifier name, that will be rendered as part of SQL string when passed to the database driver.

like image 94
Mikael Lepistö Avatar answered Oct 08 '22 12:10

Mikael Lepistö