Hey guys,
Just curious about constructing parameterized queries.....usually this entails some level of mitigation against sql injection attacks. Is that also true for this module? Thanks!
jwyuen
All 6 comments
Absolutely true for this module. That's why the parameterized query support in node-postgres is first class. All escaping is done by the postgresql server ensuring proper behavior across dialects, encodings, etc...
brianc
on 16 Aug 2011
Cool! So does that mean I don't need to do any pre-parsing of user input to check for sql injection?
jwyuen
on 16 Aug 2011
Correct. For example, this will not inject sql:
INSERT INTO user(name) VALUES($1), ["'; DROP TABLE user;"]
brianc
on 16 Aug 2011
Awesome. Thanks for the quick feedback :)
jwyuen
on 16 Aug 2011
@jwingy thanks for raising this i was wondering too. @brianc thanks for already doing the "right thing". i added this to the FAQ in the wiki.
neonstalwart
on 16 Aug 2011
awesome! Thank you!
brianc
on 16 Aug 2011
Related issues
gregallenvt
路
3Comments
Cosrnos
路
3Comments
gpanainte
路
3Comments
LukeSchlangen
路
4Comments
gajus
路
4Comments
Most helpful comment
Absolutely true for this module. That's why the parameterized query support in node-postgres is first class. All escaping is done by the postgresql server ensuring proper behavior across dialects, encodings, etc...