Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to write parameterized sql query to prevent SQL injection?

Tags:

javascript

sql

postgresql

knex.js

I initially discovered that this was an issue when I tried to search for terms that had been prepended with a hashtag, which it turns out is a comment delimiter in SQL. The search returned nothing, because it ignored the #term that came after the hashtag.

So now I'm having trouble finding the proper way of escaping the user's input. It seems to me that this would both solve the hashtag issue and also address the much larger problem, SQL injection.

Here is the snippet I am working with specifically:

function (term) {
  term = term.toLowerCase()
  return db('ticket')
    .select('*')
    .where(db.raw('lower(question)'), 'like', `%${term}%`)
    .orWhere(db.raw('lower(note)'), 'like', `%${term}%`)
    .orWhere(db.raw('lower(user_name)'), 'like', `%${term}%`)
}

I did find this and this SO article that seemed close, as well as a couple other things. Also, Knex's docs and other sources recommend parameterized binding as a method to safeguard against SQL injection.

I'm just having trouble finding a clear example that can be explained to me in JavaScript or using Knex.

like image 838
Mike Fleming Avatar asked Dec 19 '22 11:12

Mike Fleming

2 Answers

I'm not a Knex.js user, but looking at the docs it seems that Knex's use of JavaScript object syntax to define predicates is how it achieves parameterization.

However as you're using built-in functions you need to use whereRaw.

Looking at the docs ( http://knexjs.org/#Builder-whereRaw ) and ( http://knexjs.org/#Raw-Bindings ) I think you want to do this:

.whereRaw('question LIKE :term OR note LIKE :term OR user_name LIKE :term', { term: '%' + term + '%' ] } )

Knex doesn't have an orWhereRaw, so you should use the longhand version if you want to logically separate the predicates:

term = '%' + term + '%';

.orWhere( knex.raw( 'question  LIKE ?', [ term ] ) )
.orWhere( knex.raw( 'note      LIKE ?', [ term ] ) )
.orWhere( knex.raw( 'user_name LIKE ?', [ term ] ) )

Note ? is for positional parameters, and :term is for named parameters.

like image 160
Dai Avatar answered Apr 05 '23 23:04

Dai

It seems that the only time in which you really need to worry about sql injection is if you are using knex.raw() or any other pure sql command. In other words, Knex escapes the input for you automatically.

As for the hashtag issue, after messing around with PG Commander I discovered that I could search for #'s just fine. I just needed to url encode hashtags before sending them to my backend... A little embarrassing but I learned something new today.

like image 32
Mike Fleming Avatar answered Apr 05 '23 23:04

Mike Fleming
Sign in to Comment

Related questions

PEG.js Get any text between ( and );
JSON parsing in javascript for json-ld
Exclude only 0 in regular expression javascript
How could I call a Angular2 function from a Google Map infowindow?
Not able to validate all nested child elements length
Why does Array.splice(-1,1) remove last element in Javascript? [closed]
Receiving Jquery POST data in Express
How can I 'page zoom' on mobile browser
convert uppercase and lowercase in javascript [duplicate]
Complex circle diagram
Does parseFloat ever throw an error?
What's the dot mean in the name of angular module
Wordpress throws an error when loading http_headers_1.js
How to set a selected option using ajax?
How can I call a already defined function on keypress?
Owl Carousel returning errors
How to Separate Jsx inside render function into a separate file in ES6? or any other solution in react to separate the Logic and presentation?
How to collapse a div with reactjs?
Check if a function is using a callback or returning a value
Use Mongoose to update subdocument in array

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!