Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Warning: Security Issues with Query-Type-Escaping and Express #501

Closed
denisu opened this Issue May 27, 2013 · 0 comments

Comments

Projects
None yet
1 participant

denisu commented May 27, 2013

Hi,

if you are using Express and the Express query parser, you might be doing something like GET /users?id=xxx

And in your app:

db.query('SELECT * FROM users WHERE id = ?', [req.query.id])

I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.

So, an attacker could do GET /users?id[id]=1 which Express translates to {"id":"1"} which ends up as

SELECT * FROM users WHERE id =id= '1'

I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.

@tellnes tellnes added a commit to tellnes/node-mysql that referenced this issue May 28, 2013

@tellnes tellnes add `stringifyObjects` option
fixes #501
dd921c3

@felixge felixge closed this in #502 May 29, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment