Fix SQL injection #18
Conversation
| @@ -476,6 +476,9 @@ MsSQL.prototype.toDatabase = function (prop, val, wrap) { | |||
| return val; | |||
| } | |||
| if (prop.type.name === 'Number') { | |||
| if (isNaN(Number(val))) { | |||
| val = "'" + val +"'"; // Convert to a string so that DB will reject it | |||
There was a problem hiding this comment.
Need to escape val... This is still an issue.
There was a problem hiding this comment.
Perhaps if (isNaN(Number(val))) { val = escape(''+val); } will do the trick?
On the other hand, I don't understand why we need to specifically handle this case, why can't we use escape(val) directly?
|
Related, though out of scope of this PR: Use parameterized queries in SQL connectors strongloop/loopback#983 |
raymondfeng
force-pushed
the
feature/fix-sql-injection
branch
from
e4284b5 to
a8eef61
Compare
|
I added an escape() to handle embedded single quote. |
| }); | ||
| // return "q'#"+val+"#'"; | ||
| return "'" + val + "'"; | ||
| } |
There was a problem hiding this comment.
Until we ditch out string concatenation in favour of parameterized commands/queries: it would be nice to move this escape function to loopback-connector/lib/sql.js so that there is only one instance of this code shared by all SQL connectors.
/to @bajtos or @ritch