Node-sqlite3: Defending against SQL injection?

Created on 21 Jan 2012  路  2Comments  路  Source: mapbox/node-sqlite3

I'm looking for some guidance on preventing SQL injection attacks, specifically with node-sqlite3.

For example, will using

Database#prepare(sql, [param, ...], [callback])

protect against SQL injection?

Thanks.

Most helpful comment

SQLite protects you against SQL injections if you specify user-supplied data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as input data and it does not interfere with parsing the actual SQL statement.

All 2 comments

SQLite protects you against SQL injections if you specify user-supplied data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as input data and it does not interfere with parsing the actual SQL statement.

Thanks. I hoped so. I did not want to assume that "prepare" in
node-sqlite3 means thevsamw thing as sqlite3_prepare in the sqlite libs. I
should stop being lazy and just look at the source. :) Thanks!
On Jan 21, 2012 3:08 AM, "Konstantin Kfer" <
[email protected]>
wrote:

SQLite protects you against SQL injections if you specify user-supplied
data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: `db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as
input data and it does not interfere with parsing the actual SQL statement.


Reply to this email directly or view it on GitHub:

https://github.com/developmentseed/node-sqlite3/issues/57#issuecomment-3595460

Was this page helpful?
0 / 5 - 0 ratings

Related issues

NilSet picture NilSet  路  3Comments

cool-firer picture cool-firer  路  3Comments

raphaelsoul picture raphaelsoul  路  4Comments

szymonc picture szymonc  路  3Comments

aprilmintacpineda picture aprilmintacpineda  路  3Comments