Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SQL Injection Documentation not clear

See original GitHub issue

Maybe it’s just not clear for me but I’m confused on this section ES6 Tagged template literals const sql = require(‘mssql’)

sql.connect(config).then(() => { return sql.queryselect * from mytable where id = ${value} }).then(result => { console.dir(result) }).catch(err => { // … error checks })

sql.on(‘error’, err => { // … error handler }) All values are automatically sanitized against sql injection.

and

SQL injection This module has built-in SQL injection protection. Always use parameters to pass sanitized values to your queries.

const request = new sql.Request() request.input(‘myval’, sql.VarChar, ‘-- commented’) request.query(‘select @myval as myval’, (err, result) => { console.dir(result) })

What one is the preferred “best practice” to use? Or does it not matter and they both accomplish the same thing? Obviously I’m concerned with SQL Injection.

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:9

Top GitHub Comments

1reaction

patriksimekcommented, Jul 5, 2018

@blaskovicz Can you please open a separate issue for that with a sample code to reproduce the problem? Thank you?

Regarding this issue - I’ll update docs with a clear statement that tagged template literals are sanitized as well.

1reaction

tracker1commented, Jun 25, 2018

the tagged template method creates a parameterized query that is protected from SQL injection…

sql.query`

the backtick is right after the name of the function that will process the string with parameters

Both will give you the same result, I find the tagged template literals are easier to grasp… also, if you are working with a recent (8+) node version, you can use async functions, and just await the query…

const baz = await getBaz(); // should return a primative value
const results = await sql.query`
    SELECT *
    FROM foo
    WHERE foo.bar = ${baz}
`;

I much prefer the syntax above, it’s just so close to direct SQL, and sending in parameters.

Top Results From Across the Web

SQL Injection Prevention - OWASP Cheat Sheet Series

This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications. SQL Injection attacks are ...

SQL injection cheat sheet: 8 best practices to prevent ... - Snyk

SQL injection cheat sheet: 8 best practices to prevent SQL injection attacks · 1. Do not rely on client-side input validation. · 2....

SQL Injection Cheat Sheet - Invicti

The SQL Injection Cheat Sheet is the definitive resource for all the technical details about the different variants of the well-known SQLi vulnerability....

SQL Injection | Hdiv Documentation

The issue is that the ' in the username closes out the username field, then the -- starts a SQL comment causing the...

SQL Injection - SQL Server - Microsoft Learn

A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored...