New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warning: Security Issues with Query-Type-Escaping and Express #501

Closed
denisu opened this Issue May 27, 2013 · 0 comments

Comments

Projects
None yet
1 participant
@denisu

denisu commented May 27, 2013

Hi,

if you are using Express and the Express query parser, you might be doing something like GET /users?id=xxx

And in your app:

db.query('SELECT * FROM users WHERE id = ?', [req.query.id])

I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.

So, an attacker could do GET /users?id[id]=1 which Express translates to {"id":"1"} which ends up as

SELECT * FROM users WHERE id = id = '1'

I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.

tellnes added a commit to tellnes/node-mysql that referenced this issue May 28, 2013

@felixge felixge closed this in #502 May 29, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment