Skip to content
This repository has been archived by the owner on Nov 9, 2021. It is now read-only.

Bad query builder #338

Open
sm2017 opened this issue Nov 4, 2017 · 2 comments
Open

Bad query builder #338

sm2017 opened this issue Nov 4, 2017 · 2 comments

Comments

@sm2017
Copy link

sm2017 commented Nov 4, 2017

The following code

var squel = require("squel")

squel.insert()
        .into("students")
        .set("name", "Tho'mas")
        .toString()

Will create wrong query

INSERT INTO students (name) VALUES ('Tho'mas')

So here not only we have bad query but also possible SQL injection attack
@sm2017
Copy link
Author

sm2017 commented Nov 13, 2017

Can you help please?

@bryanjhv
Copy link

You can use sqlstring module, like this:

import * as squel from 'squel'
import { escape } from 'sqlstring'

squel.registerValueHandler('string', (s) => escape(s))

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryanjhv @sm2017