Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SQL injection with PostgreSQL #3545
Backslashes are not escaped properly in strings when using PostgreSQL, leading to possible SQL injections.
The following code drops the students table.
The console output is:
Tested with PostgreSQL 8.2.
added a commit
Apr 16, 2015
Wow, that’s a quick reaction! Thanks!
I tested with Sequelize 2.0.5. I think the test should check that the generated query contains the value as (in SQL):
instead of currently (in SQL):
I just saw in http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-ESCAPE that the default setting for string escaping with backslashes in normal strings changed in PostgreSQL 9.1. Beginning with that version, they are disabled by default for normal strings, and work only if the string is prefixed with
In SQLAlchemy they do this:
self._backslash_escapes = self.server_version_info < (8, 2) or \ connection.scalar( "show standard_conforming_strings" ) == 'off'
They escape all backslashes or not depending on this value. The version check is because
Even with PostgreSQL 9.2, Sequelize would be vulnerable to this if