Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does pg (node-postgres) automatically sanitize data

I am using node-postgres for a production application and I am wondering if there is anything I should be concerned about? Is the data sanitized automatically by node-postgres?

I couldn't find anything about it on the github page: https://github.com/brianc/node-postgres

like image 544
Luke Schlangen Avatar asked Jan 04 '17 03:01

Luke Schlangen


2 Answers

Absolutely! The parameterized query support in node-postgres is first class. All escaping is done by the postgresql server ensuring proper behavior across dialects, encodings, etc... For example, this will not inject sql:

client.query("INSERT INTO user(name) VALUES($1)", ["'; DROP TABLE user;"], function (err, result) {
  // ...
});

This is from their documentation.

like image 149
Tuan Anh Tran Avatar answered Nov 12 '22 22:11

Tuan Anh Tran


It basically depends on how you execute your queries as @vitaly-t described

Suppose you will define query in a string and execute as follows:

var query = `SELECT * FROM table where username='${username}' and password='${password}`;
        
pool.query(query, (error, results) => {
});

This case if i would pass username=' 'or 1=1; -- and password=' 'or 1=1; --

Then it will return all records from the table (means SQL injection works)

But if I would execute the following query

pool.query('SELECT * FROM table where username=$1 and password=$2', [username, password], (error, results) => {
});

Then SQL injection will never work because pg will sanitize the data.

So it's depends on how you execute the queries.

like image 18
Ankit Avatar answered Nov 12 '22 22:11

Ankit