Raw queries do not handle identifier bindings correctly
See original GitHub issueIf we attempt to use knex.raw to write the following type of query:
> select 'val' as "name?"
name?
---------
val
(1 row)
by writing the following…
knex.raw('select ? as ??', ['val', 'name?'])
.catch(e => console.error(e))
we get this error:
{ error: 'select * from (select $1 as "name$2") as t -
could not determine data type of parameter $1' }
[edited]
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (6 by maintainers)
Top Results From Across the Web
Raw | Knex.js
Raw query object may be injected pretty much anywhere you want, and using proper bindings can ensure your values are escaped properly, preventing...
Read more >Does Knex.js prevent sql injection? - Stack Overflow
I read that the .raw() command from knex.js is susceptible to sql injection, if not used with bindings. But are the other commands...
Read more >Performing raw SQL queries | Django documentation
raw () to perform raw queries and return model instances, or you can avoid the model layer entirely and execute custom SQL directly....
Read more >Binding string of ids to DB::raw WHER IN - Laracasts
The problem is that I want to bind a string of integers to a WHERE IN select: ... here http://fideloper.com/laravel-raw-queries but that didn't...
Read more >How to call native SQL queries with JPA & Hibernate
The persistence provider does not parse the SQL statement so that you can use any ... But the support of named parameter bindings...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Dont use periods or dont use ?? binding in that case. ?? bindings treats periods as special character and that is not going to change.
safest to avoid everything that is not
a-zA-Z0-9_-.
that binding should be used for'table.column'
type of references. And those should not be read from user input anyways.