Prevent SQL Injection in JavaScript / Node.js
Solution 1
The best way to is to use prepared statements or queries (link to documentation for NPM mysql
module: https://github.com/mysqljs/mysql#preparing-queries)
var sql = "SELECT * FROM table WHERE userid = ?";
var inserts = [message.author.id];
sql = mysql.format(sql, inserts);
If prepared statements is not an option (I have no idea why it wouldn't be), a poor man's way to prevent SQL injection is to escape all user-supplied input as described here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#MySQL_Escaping
Solution 2
Here is the documentantion on how to properly escape any user provided data to prevent SQL injections: https://github.com/mysqljs/mysql#escaping-query-values .
mysql.escape(userdata)
should be enough.
Admin
Updated on June 04, 2022Comments
-
Admin almost 2 years
I am using Node.js to create a Discord bot. Some of my code looks as follows:
var info = { userid: message.author.id } connection.query("SELECT * FROM table WHERE userid = '" + message.author.id + "'", info, function(error) { if (error) throw error; });
People have said that the way I put in
message.author.id
is not a secure way. How can I do this? An example?