Node-mssql: SQL Injection

Created on 9 Jul 2014  Â·  4Comments  Â·  Source: tediousjs/node-mssql

Hi there
does this module has security feature to prevent sql injection? (e.g. simliar to https://github.com/felixge/node-mysql#escaping-query-values)

If not, any existing modules can handle this?

I think this is a very much needed feature.

Most helpful comment

It would be nice to have some example showing how we should escape params for WHERE clause

e.g. SELECT * FROM TableName WHERE username = ?? AND email = ?? I'm not sure how I can insert values for username and email to have them escaped

All 4 comments

This module has escaping built-in. Just use parameters to pass escaped values to your query.

var request = new sql.Request();
request.input('myval', sql.VarChar, '-- commented');
request.query('select @myval as myval', function(err, recordset) {
    console.dir(recordset);
});

Thanks for the info.

I think it is an important feature to be mentioned in the doc.

On 9 Jul 2014, at 11:18 am, Patrik Simek [email protected] wrote:

This module has escaping built-in. Just use parameters to pass escaped values to your query.

var request = new sql.Request();
request.input('myval', sql.VarChar, '-- commented');
request.query('select @myval as myval', function(err, recordset) {
console.dir(recordset);
});
—
Reply to this email directly or view it on GitHub.

hi, please, add this example to the wiki.
It took me quite some time to figure it out.
I looks like it can only be used with preparedstatements

thanks

It would be nice to have some example showing how we should escape params for WHERE clause

e.g. SELECT * FROM TableName WHERE username = ?? AND email = ?? I'm not sure how I can insert values for username and email to have them escaped

Was this page helpful?
0 / 5 - 0 ratings