Prevent SQL Injection in JavaScript / Node.js

javascript mysql sql node.js sql-injection

18,825

Solution 1

The best way to is to use prepared statements or queries (link to documentation for NPM mysql module: https://github.com/mysqljs/mysql#preparing-queries)

var sql = "SELECT * FROM table WHERE userid = ?";
var inserts = [message.author.id];
sql = mysql.format(sql, inserts);

If prepared statements is not an option (I have no idea why it wouldn't be), a poor man's way to prevent SQL injection is to escape all user-supplied input as described here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#MySQL_Escaping

Solution 2

Here is the documentantion on how to properly escape any user provided data to prevent SQL injections: https://github.com/mysqljs/mysql#escaping-query-values . mysql.escape(userdata) should be enough.

18,825

Author by

Admin

Updated on June 04, 2022

Comments

Admin almost 2 years
I am using Node.js to create a Discord bot. Some of my code looks as follows:
```
var info = {
  userid: message.author.id
}

connection.query("SELECT * FROM table WHERE userid = '" + message.author.id + "'", info, function(error) {
  if (error) throw error;
});
```
People have said that the way I put in message.author.id is not a secure way. How can I do this? An example?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?

How to troubleshoot crashes detected by Google Play Store for Flutter app

Cupertino DateTime picker interfering with scroll behaviour

Why does awk -F work for most letters, but not for the letter "t"?

Flutter change focus color and icon color but not works

How to print and connect to printer using flutter desktop via usb?

Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0

Flutter Dart - get localized country name from country code

navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage

Android Sdk manager not found- Flutter doctor error

Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)

How to change the color of ElevatedButton when entering text in TextField

Related

How to access RowDataPacket mysql-node.js

Show database content in browser with node.js, MySQL and Jade

Querying MySQL with Node.JS and display results in webpage

Sequelize: find latest record per group of id

Nodejs MySQL connection query return value to function call

Sequelize Transaction Bulk Update followed by Bulk Create

How to use POST , GET for making search-box in Nodejs

use nodejs to query mysql database

how to list column in mysql on nodejs with module mysql

Promises in mysql2