diugalde diugalde - 1 month ago 35
Node.js Question

How to deal with SQL Injection in OrientDB using nodejs?

I'm using the orientjs library to perform operations in the Orient Database. I read in the documentation that it's possible to use parameter-style queries like the following:

db.query(
'SELECT name, ba FROM Player '
+ 'WHERE ba >= :ba AND team = ":team"',
{params:
ba: targetBA,
team: targetTeam
}, limit: 20
).then(function(hitters){
console.log(hitters)
});


My question is: Is it enough to prevent SQL injection? Because I didn't find information about that in the NodeJS API. In the case of Java, there is a 'Prepared Query' concept, I'm not sure if they are refering to the same thing.

Answer

Seems to be secure, I'm trying with this code (yours taken from the wiki is a bit buggy):

var name='admin';

db.open().then(function() {
    return db.query(
        "SELECT * FROM OUser "
        + "WHERE name = :name",
        {params:{
            name: name
            }
        });
}).then(function(res){
    console.log(res);
    db.close().then(function(){
        console.log('closed');
    });
});

First of all, the query is parsed as SELECT * FROM OUser WHERE name = "admin" (observed with the Studio Query Profiler).

As expected, I get the admin user record.

Since the params are evaluated directly as String, there's non need quote them (e.g. :name not ':name'). So there is no way to inject something like ' OR '1'='1 or any ; drop something;


Here are some test I did:

  • var name='; create class p;';

    returns no records;

    evaluated by orient as: SELECT * FROM OUser WHERE name = "; create class p;"

  • var name="' OR '1'='1";

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "' OR '1'='1"

  • var name='" OR "1"="1';

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "\" OR \"1\"=\"1"

  • quoting the param name in the query: "WHERE name = ':name'"

    evaluated as: SELECT * FROM OUser WHERE name = ':name'


Feel free to try more combinations, in my opinion seems quite safe.

Comments