Comments (9)
yang
commented on July 26, 2024
1
First off - thanks for this library @hiddentao.
The point is that the auto-quoting is broken. Simply surrounding a string with single quotes is incorrect and a textbook injection example. I'd argue it's worse than no quoting at all as users may mistakenly assume that proper quoting is implemented.
from squel.
hiddentao
commented on July 26, 2024
Squel auto-quotes string values. You can tell it to use a different quote character, or you can tell it to not auto-quote.
from squel.
acroca
commented on July 26, 2024
from squel.
hiddentao
commented on July 26, 2024
@yang I don't know if this helps but #34 has been merged in now, which means that parameterized queries are much easier to do (ideally you should be running a parameterized query through your db engine's query escaping routine so ensure that the query is safe).
As for preventing query injection, #8 is the discussion around that.
from squel.
mayanklahiri
commented on July 26, 2024
Hi there, this still seems to be broken at 3.1.1 on node 0.10.26.
squel.insert().into('test').set('q', '{"key":"aint"}').toString()
'INSERT INTO test (q) VALUES (\'{"key":"aint"}\')'
squel.insert().into('test').set('q', '{"key":"ain\'t"}').toString()
'INSERT INTO test (q) VALUES (\'{"key":"ain\'t"}\')'
from squel.
hiddentao
commented on July 26, 2024
@mayanklahiri What is your expected output?
from squel.
mayanklahiri
commented on July 26, 2024
Sorry, it's not immediately obvious because the node shell does some weird escaping if you don't use console.log(). Here's a more clear example, with expected output:
var q = squel.insert().into('test');
console.log(q.set("col", "something").toString())
INSERT INTO test (col) VALUES ('something')
console.log(q.set("col", "some'thing").toString())
INSERT INTO test (col) VALUES ('some'thing')
Clearly the second query has a syntax error (and injection). The expected output (for Postgres) should be (the change is to have two single quotes side by side):
INSERT INTO test (col) VALUES ('some''thing')
I do not know how to quote strings correctly for other databases, but I would imagine it's something like \'
from squel.
hiddentao
commented on July 26, 2024
Ok, a change was merged into the postgres flavour (#35) which fixed this for that. I might merge that into the core Squel code. That would sort this problem out once and for all.
from squel.
hiddentao
commented on July 26, 2024
The replaceSingleQuotes option is now available in Squel core, see http://hiddentao.github.io/squel/api.html#cls_defaultquerybuilderoptions
from squel.
Related Issues (20)
- Add option to add column/table name as a parameter HOT 1
- Add semantic-comparison logic for queries/expressions
- Feature request: Placeholders in the squel.case(...) expression?
- MSSQL Boolean type
- .group().having() is not a function HOT 1
- string escape is incorrect, especially when string contains \n or ', which may cause SQL injection HOT 1
- How to select into array? HOT 1
- Scalar values aliasing
- squel.select().from is undefined after minimizing HOT 6
- Numbered parameters in postgres flavour are substituted inside a string literal
- Incorrect syntax near '`'.
- SQL Server Update Fails with Trigger ? HOT 3
- Use a normal SQL string HOT 2
- Can you get the result value from an object like the result map of mybtis?
- SQL Server Select HOT 1
- Interested in Becoming an Active co-maintainer HOT 1
- How to use IGNORE in INSERT in mysql?
- Mark as deprecated HOT 1
- Grouping conditions together in expression HOT 1
- Lateral Joins
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from squel.