Menu
I am new to Sequelize (a node.js ORM) and wondering if the following code is safe:
var models = require('../models');
var router = require('express').Router();
router.post('/', function(req, res, next){
models.Account
.create(req.body) // <-- THIS IS WHAT MY QUESTION IS ABOUT, IS THIS SAFE?
.then(function(result){
res.status(200)
.send(result)
.end();
}).catch(next);
});
If you are using this, could this be unsafe in some way? The other solution would be:
var models = require('../models');
var router = require('express').Router();
router.post('/', function(req, res, next){
models.Account
.create({
username: req.body.username, // <-- THIS IS MORE VERBOSE BUT PROBABLY SAFER?
accountname: req.body.accountname,
level: req.body.level
})
.then(function(result){
res.status(200)
.send(result)
.end();
}).catch(next);
});
So basically my question is: is it safe to use the full request body as an input to the model.create() function (and model.set() and model.build())?
608
As a general rule, before passing data to any persistence technology you should be validating the input to see if it is safe for your domain. So, even if this is safe from a SQL Injection Attack point-of-view, I'd still suggest doing the second way with an additional validation step before calling models.Account.create so that you are passing known values to the ORM, rather than whatever has come in the body of the HTTP request (which could be anything, not just what was on your page)
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
