show how to use mysql.escape in the sql-injection qhelp

2026-04-26 09:15:12 +02:00 · 2023-05-31 13:51:22 +02:00
parent 7d801e05ee
commit 98820780af
2 changed files with 21 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-089/SqlInjection.inc.qhelp
+++ b/javascript/ql/src/Security/CWE-089/SqlInjection.inc.qhelp
@@ -55,6 +55,12 @@ immune to injection attacks.
 </p>

 <sample src="examples/SqlInjectionFix.js" />
+
+<p>
+Alternatively, we can use a library like <code>sqlstring</code> to
+escape the user input before embedding it into the query string:
+</p>
+<sample src="examples/SqlInjectionFix2.js" />
 </example>

 <example>
--- a/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js
+++ b/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js
@@ -0,0 +1,15 @@
+const app = require("express")(),
+      pg = require("pg"),
+      SqlString = require('sqlstring'),
+      pool = new pg.Pool(config);
+
+app.get("search", function handler(req, res) {
+  // GOOD: the category is escaped using mysql.escape
+  var query1 =
+    "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" +
+    SqlString.escape(req.params.category) +
+    "' ORDER BY PRICE";
+  pool.query(query1, [], function(err, results) {
+    // process results
+  });
+});