diugalde diugalde - 1 year ago 130
Node.js Question

How to deal with SQL Injection in OrientDB using nodejs?

I'm using the orientjs library to perform operations in the Orient Database. I read in the documentation that it's possible to use parameter-style queries like the following:

'SELECT name, ba FROM Player '
+ 'WHERE ba >= :ba AND team = ":team"',
ba: targetBA,
team: targetTeam
}, limit: 20

My question is: Is it enough to prevent SQL injection? Because I didn't find information about that in the NodeJS API. In the case of Java, there is a 'Prepared Query' concept, I'm not sure if they are refering to the same thing.

Answer Source

Seems to be secure, I'm trying with this code (yours taken from the wiki is a bit buggy):

var name='admin';

db.open().then(function() {
    return db.query(
        "SELECT * FROM OUser "
        + "WHERE name = :name",
            name: name

First of all, the query is parsed as SELECT * FROM OUser WHERE name = "admin" (observed with the Studio Query Profiler).

As expected, I get the admin user record.

Since the params are evaluated directly as String, there's non need quote them (e.g. :name not ':name'). So there is no way to inject something like ' OR '1'='1 or any ; drop something;

Here are some test I did:

  • var name='; create class p;';

    returns no records;

    evaluated by orient as: SELECT * FROM OUser WHERE name = "; create class p;"

  • var name="' OR '1'='1";

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "' OR '1'='1"

  • var name='" OR "1"="1';

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "\" OR \"1\"=\"1"

  • quoting the param name in the query: "WHERE name = ':name'"

    evaluated as: SELECT * FROM OUser WHERE name = ':name'

Feel free to try more combinations, in my opinion seems quite safe.