1

I am sending a json array with filter parameters from ExtJs in the sql function parameter.

filters look like this:

[{"field":"product_type_id","data":{"type":"number","value":"43","comparison":"in"}},{"field":"code","data":{"type":"string","value":"RRR","comparison":"like"}}]

I would like to protect myself against possible SQL injection, but my sanitizeString function removes all characters such as {, ", : etc. This prevents me from sending json, so I cannot use it for parameters. Can you tell me how to best protect myself through sql injection and at the same time pass json in the parameter without any problems?

// this.DBModels?.execQuery
 execQuery<T = any>(query: string, callback: (err: Error, data: T[]) => void) {
    this.db.driver.execQuery(query, (err: Error, data: T[]): void => {
      callback(err, data)
    })
  }

   this.DBModels?.execQuery(
      `SELECT * FROM ${sanitizeString(functionName)}('${
        functionParameter
      }')`,
Improve this question
3
  • 2
    I'm not sure I understand this question. Surely your database library is handling parameter escaping for you? If not, get a better database library. Commented Oct 9 at 16:14
  • @RichardHuxton I use the orm library, but as you can see in the part of the code, I provide a query which I concatenate as a whole string. I guess it's not sanitized by the library? Commented Oct 9 at 17:50
  • @Pawel You mean the no longer actively maintained node-orm2 you get from npm install orm? If you have control or influence over this, consider a switch. Not much point discussing security issues concerning a library that saw its last patch 9 years ago. Commented Oct 9 at 18:04

2 Answers 2

Reset to default
4

Sanitize the function name and bind the json variable as query parameter. Using an example from node-postgres:

const queryBody = 'SELECT * FROM ${sanitizeString(functionName)}($1)'
const functionParameter = [{"field":"product_type_id","data":{"type":"number","value":"43","comparison":"in"}},{"field":"code","data":{"type":"string","value":"RRR","comparison":"like"}}]
await client.query(queryBody, [functionParameter])

That way the query gets sent, parsed and validated as SQL on its own, the param sent separately and validated as a db-side json-type constant before being made available to the executor of the actual query. At no point does the db even consider parsing that value as a part of the SQL statement.

Note that if the db-side function uses dynamic SQL, you need to make sure it also binds the param it receives with USING, an %L placeholder in a format() or sanitizes it with quote_literal().

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

for node mariadb

multipleStatements: false

Improve this answer

1 Comment

Keep in mind that this question was specifically about PostgreSQL, and answers should stay on-topic. If you'd like (and if there's not a duplicate answer already), you can create a new question regarding how to do this in MariaDb and then self-answer it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.