Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to escape in Sequelize?

I'm using Sequelize with Node.js/Express and I'm not sure how to escape with Sequelize in the where part.

var sequelize = ...;
var productId = 5; var productName = "test";
var product = sequelize.define('product',findAll({
       where: {
           $or: [
                {productId: this.mysql.escapeId(productId)},
                {productName: {$like: this.mysql.escapeId('%' + productName + '%')}},
            ]
       }
    })
   .then(result => ...);

This is not working, I obtain the bellowing query :

SELECT `productId`, `productName` FROM `product` AS `product` WHERE (`product`.`productId` = '`5`' OR `product`.`productName` LIKE '\'%test%\'' ORDER BY `product`.`productId` ASC

which give me nothing as results. So how to escape with Sequelize ? I also tried the function Sequelize.escape, but I got the error "TypeError: Sequelize.escape is not a function".

And if there's no need to escape the values thanks to Sequelize, I don't understand how it will stay safe from a SQL injection attack. Example : productId = '5; DELETE * FROM SOMETHING;'

Thanks a lot for your help !

Have a good day,

vanessa

like image 322
vanessa Avatar asked May 30 '17 21:05

vanessa


People also ask

Is Sequelize literal safe?

Important Note: Since sequelize. literal inserts arbitrary content without escaping to the query, it deserves very special attention since it may be a source of (major) security vulnerabilities. It should not be used on user-generated content.

How do I run a query in Sequelize?

Sequelize instance comes with the query() method which you can use to run a raw query. The syntax of the method is as shown below: const [results, metadata] = await sequelize. query( "Your query here", { options } );

What does raw true do in Sequelize?

According to the doc : If you do not provide other arguments than the SQL, raw will be assumed to the true, and sequelize will not try to do any formatting to the results of the query.

How do I get raw query in Sequelize?

As there are often use cases in which it is just easier to execute raw / already prepared SQL queries, you can use the sequelize. query method. By default the function will return two arguments - a results array, and an object containing metadata (such as amount of affected rows, etc).


2 Answers

As @FiftiN correctly states in his answer sequelize handles escaping in most instances.

The only instance i needed manual escaping was when composing raw sql queries. Sequelize raw sql queries use placeholders ($ or ?) which are also escaped:

sequelize.query('SELECT * FROM projects WHERE status = ?',
  { replacements: ['active'], type: sequelize.QueryTypes.SELECT }
)

Though when working with special sql functions i found it more appropriate to escape manually sometimes:

var SqlString = require('sequelize/lib/sql-string')
var input = SqlString.escape("'string'( \"value")
sequelize.query(
    `SELECT * FROM projects WHERE regexp_matches("status", '^\'${input} *\\w*\'')`,
    {type: sequelize.QueryTypes.SELECT }
)

The strange regular expression just serves as an example why the standard escape mechanism may feel clunky. The example also uses ES6 template strings.

I found the escape method in https://github.com/sequelize/sequelize/issues/1132.

WARNING: The escape method takes additional parameters like the sql dialect. Make sure you understand it's workings before relying on it! Additionally the method may change or no longer exist in future releases as it is not documented in the official documentation.

like image 136
Davidiusdadi Avatar answered Oct 11 '22 07:10

Davidiusdadi


No need to escape is this case, Sequelize do it.

like image 20
FiftiN Avatar answered Oct 11 '22 05:10

FiftiN