-
SQL Injection is a type of attack that allows the attacker to extract database information from the website's database. This is done by injecting SQL commands into the input fields of the website. This is possible when the website does not properly sanitize the user input.
-
The best way to prevent SQL Injection is to use prepared statements. Prepared statements are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.
-
There are many ways to test for SQL Injection. One of the most common ways is to use a single quote (') in the input field. If the website is vulnerable to SQL Injection, the website will throw an error. Another way is to use the SQL Injection cheat sheet. This cheat sheet contains many SQL Injection payloads that can be used to test for SQL Injection.
-
The SQL Injection cheat sheet can be found here.
Create a .env
file in the root directory of the project. This file should contain the following environment variables:
DB_HOST=localhost
DB_USER=root
DB_PASS=password
DB_NAME=sql_injection
Note: You can change the values of these variables to match your own database configuration.
To get started, install the required dependencies by running the following command:
npm install
Next, populate your database with initial data using the seed script:
npm run seed
Launch the server by executing the following command:
npm start
I've included some tests to illustrate the difference between a secure endpoint and an insecure one. You can execute these tests with the following command:
npm test
The first test is designed to sign in a user without requiring a password, demonstrating the vulnerability of SQL injection. The second test is intended to prevent user sign-in as it is a protected endpoint.