New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql injection in "IN" statement #5671
Comments
|
Sequelize handles replacements before passing it along to the driver IIRC. |
|
Let me explain myself. example const Sequelize = require('sequelize'),
database = new Sequelize( ... );
database.query('SELECT * FROM Table WHERE Name IN (:names)', {
replacements: {
names: ["test", "'); DELETE Table WHERE Id = 1 --')"]
}
});the query will be SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE Table WHERE Id = 1 --')in mssql backslash isn't a special character. |
|
|
|
in mssql tnx |
|
Yeah it should actually already be doing that: https://github.com/sequelize/sequelize/blob/master/lib/sql-string.js#L61 |
|
so this is not working as you expected.. i'm debugging this now. |
|
found the mistake. creating PR now. |
|
somebody already fixed this one in 23952a2. |
|
That version is already on npm, as is evident from the tags on that commit |
|
right, my mistake. |
i'm using mssql.
sequelize version is 3.19.3.
sample:
because
tediousdoesn't support arrays as parameters you must add a parameter for every item in the array and use it in the query (IN (:ids0, :ids1, :ids2, :ids3)).now there is an option to do sql injection.
The text was updated successfully, but these errors were encountered: