Sql injection prevention #9
Comments
|
If you familiar with pg driver, it would be great if you provide some examples, or, better send pull request. Thanks! |
|
the code should be updated to use $ positional parameter markers, for example: when done this way, the pg driver sends the query to the server for parameter binding so the client doesn't need to worry about escaping. |
|
I've worked on that in my fork https://github.com/martinell/jugglingdb-postgres/commits/master. It is in an early stage because it still has some replicated code. This is because there are some dependencies with the jugglingdb module. To fully apply prepared statements, some modifications would be required on that code and that would affect the mysql adapter. This might require to review the interface between the ORM and the sql adapters. |
|
In postgres adapter you can override anything from base sql, if it doesn't On Sun, Jan 20, 2013 at 6:25 PM, Luis [email protected] wrote:
Thanks, |
|
@1602 @martinell is this still an issue? Can you provide an example of how SQL injection can occur? |
|
For what I can see, the code of the adapter looks the same as before I did my changes to it on my fork (https://github.com/martinell/jugglingdb-postgres/commits/master). There you can find some tests I added to check SQL injection (https://github.com/martinell/jugglingdb-postgres/blob/ec91a67d983aae1dddbcad525e51a7734ba2aa84/test/postgres.js). |
I am starting to use this module. Before, I was using the pg driver directly and I was able to prevent sql injection attacks by using placeholders in the queries and passing the parameters to the driver. Wen I started using jugglingdb I realized now I am able to inject sql code into the queries.
The text was updated successfully, but these errors were encountered: