I'm looking for some guidance on preventing SQL injection attacks, specifically with node-sqlite3.
For example, will using
Database#prepare(sql, [param, ...], [callback])
protect against SQL injection?
Thanks.
SQLite protects you against SQL injections if you specify user-supplied data as part of the params rather than stringing together an SQL query:
BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");
GOOD: db.prepare("INSERT INTO foo VALUES (?)", variable);
By using the placeholder ?, SQLite automatically treats the data as input data and it does not interfere with parsing the actual SQL statement.
Thanks. I hoped so. I did not want to assume that "prepare" in
node-sqlite3 means thevsamw thing as sqlite3_prepare in the sqlite libs. I
should stop being lazy and just look at the source. :) Thanks!
On Jan 21, 2012 3:08 AM, "Konstantin Kfer" <
[email protected]>
wrote:
SQLite protects you against SQL injections if you specify user-supplied
data as part of the params rather than stringing together an SQL query:BAD:
db.prepare("INSERT INTO foo VALUES(" + variable + ")");GOOD: `db.prepare("INSERT INTO foo VALUES (?)", variable);
By using the placeholder
?, SQLite automatically treats the data as
input data and it does not interfere with parsing the actual SQL statement.
Reply to this email directly or view it on GitHub:
https://github.com/developmentseed/node-sqlite3/issues/57#issuecomment-3595460
Most helpful comment
SQLite protects you against SQL injections if you specify user-supplied data as part of the params rather than stringing together an SQL query:
BAD:
db.prepare("INSERT INTO foo VALUES(" + variable + ")");GOOD:
db.prepare("INSERT INTO foo VALUES (?)", variable);By using the placeholder
?, SQLite automatically treats the data as input data and it does not interfere with parsing the actual SQL statement.