Skip to content

Fix SQL injection#18

Merged
raymondfeng merged 1 commit into
masterfrom
feature/fix-sql-injection
Jan 9, 2015
Merged

Fix SQL injection#18
raymondfeng merged 1 commit into
masterfrom
feature/fix-sql-injection

Conversation

@raymondfeng

@raymondfeng raymondfeng commented Jan 9, 2015

Copy link
Copy Markdown
Contributor

/to @bajtos or @ritch

ritch
ritch reviewed Jan 9, 2015
View reviewed changes
Comment thread lib/mssql.js Outdated

@ritch ritch Jan 9, 2015

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to escape val... This is still an issue.

@bajtos bajtos Jan 9, 2015

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps if (isNaN(Number(val))) { val = escape(''+val); } will do the trick?

On the other hand, I don't understand why we need to specifically handle this case, why can't we use escape(val) directly?

@bajtos

bajtos commented Jan 9, 2015

Copy link
Copy Markdown
Member

Related, though out of scope of this PR: Use parameterized queries in SQL connectors strongloop/loopback#983

@raymondfeng raymondfeng force-pushed the feature/fix-sql-injection branch from e4284b5 to a8eef61 Compare January 9, 2015 08:08
@raymondfeng

raymondfeng commented Jan 9, 2015

Copy link
Copy Markdown
Contributor Author

I added an escape() to handle embedded single quote.

raymondfeng added a commit that referenced this pull request Jan 9, 2015
@raymondfeng
Merge pull request #18 from strongloop/feature/fix-sql-injection
1440f3d 
Fix SQL injection
@raymondfeng raymondfeng merged commit 1440f3d into master Jan 9, 2015
@raymondfeng raymondfeng deleted the feature/fix-sql-injection branch January 9, 2015 08:16
bajtos
bajtos reviewed Jan 9, 2015
View reviewed changes
Comment thread lib/mssql.js

@bajtos bajtos Jan 9, 2015

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Until we ditch out string concatenation in favour of parameterized commands/queries: it would be nice to move this escape function to loopback-connector/lib/sql.js so that there is only one instance of this code shared by all SQL connectors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raymondfeng @bajtos @ritch