show how to use mysql.escape in the sql-injection qhelp

2025-12-22 19:56:32 +01:00 · 2023-05-31 13:51:22 +02:00
parent 7d801e05ee
commit 98820780af
2 changed files with 21 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js
+++ b/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js
@@ -0,0 +1,15 @@
+const app = require("express")(),
+      pg = require("pg"),
+      SqlString = require('sqlstring'),
+      pool = new pg.Pool(config);
+
+app.get("search", function handler(req, res) {
+  // GOOD: the category is escaped using mysql.escape
+  var query1 =
+    "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" +
+    SqlString.escape(req.params.category) +
+    "' ORDER BY PRICE";
+  pool.query(query1, [], function(err, results) {
+    // process results
+  });
+});