Join GitHub today
Warning: Security Issues with Query-Type-Escaping and Express #501
if you are using Express and the Express query parser, you might be doing something like
And in your app:
I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.
So, an attacker could do
I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.