You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if you are using Express and the Express query parser, you might be doing something like GET /users?id=xxx
And in your app:
db.query('SELECT * FROM users WHERE id = ?', [req.query.id])
I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.
So, an attacker could do GET /users?id[id]=1 which Express translates to {"id":"1"} which ends up as
SELECT * FROM users WHERE id = id = '1'
I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.
The text was updated successfully, but these errors were encountered:
tellnes
added a commit
to tellnes/node-mysql
that referenced
this issue
May 28, 2013
Hi,
if you are using Express and the Express query parser, you might be doing something like
GET /users?id=xxxAnd in your app:
db.query('SELECT * FROM users WHERE id = ?', [req.query.id])I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.
So, an attacker could do
GET /users?id[id]=1which Express translates to{"id":"1"}which ends up asSELECT * FROM users WHERE id =id= '1'I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.
The text was updated successfully, but these errors were encountered: