Escape all sql statements to avoid sql injections#16
Conversation
… by default from node mysql package
roschaefer
left a comment
roschaefer
left a comment
There was a problem hiding this comment.
@matthib thank you so much!
- As a developer you should get anxious, if you write string interpolation and feed this to a SQL connection
- How can we get this deployed?
I'm going to CC @mimicc83 can you help us to deploy this security fix?
|
:o not sure where I've read this, but I was in the thought that this package does automatic escaping. However: the initial thought was to use mysql only as temporary so we can keep the old db structure as much as possible and switch to mongodb at some point. @roschaefer what exactly do you need help with? I am a bit short of time at the moment. |
|
@mimicc83 I would like to get this deployed as soon as possible to avoid the SQL vulnerability - I have no idea how to do that. Neither do I have a clue how to backup the database to avoid data loss. |
|
There is no deployment pipeline setup on this so you would have to either setup docker or do a drag and drop deployment (should be only this single file that needs changes, the client would not be affected) To backup the database mysqldump should be sufficient. |
|
@mimicc83 and @matthib are you available for today 4:30pm? I would like to backup or deploy today. cc @AndreiBu |
2 participants
Escape all sql statements to avoid sql injections as this is not done… by default from node mysql package.
Contrary to the statement here the user input and thus most field are NOT automatically sanitized and escaped by node mysql. At least not in the way it was done until now.
See: https://www.npmjs.com/package/mysql#escaping-query-values and https://stackoverflow.com/questions/49015570/node-mysql-escaping-mysql-escape-mysql-escapeid (last answer) just to name a few.
This is why I had to change every sql statement accessing user input, so that is escaped and we don't suffer from sql inection attacks.