diugalde diugalde - 5 months ago 76
Node.js Question

How to deal with SQL Injection in OrientDB using nodejs?

I'm using the orientjs library to perform operations in the Orient Database. I read in the documentation that it's possible to use parameter-style queries like the following:

'SELECT name, ba FROM Player '
+ 'WHERE ba >= :ba AND team = ":team"',
ba: targetBA,
team: targetTeam
}, limit: 20

My question is: Is it enough to prevent SQL injection? Because I didn't find information about that in the NodeJS API. In the case of Java, there is a 'Prepared Query' concept, I'm not sure if they are refering to the same thing.


Seems to be secure, I'm trying with this code (yours taken from the wiki is a bit buggy):

var name='admin';

db.open().then(function() {
    return db.query(
        "SELECT * FROM OUser "
        + "WHERE name = :name",
            name: name

First of all, the query is parsed as SELECT * FROM OUser WHERE name = "admin" (observed with the Studio Query Profiler).

As expected, I get the admin user record.

Since the params are evaluated directly as String, there's non need quote them (e.g. :name not ':name'). So there is no way to inject something like ' OR '1'='1 or any ; drop something;

Here are some test I did:

  • var name='; create class p;';

    returns no records;

    evaluated by orient as: SELECT * FROM OUser WHERE name = "; create class p;"

  • var name="' OR '1'='1";

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "' OR '1'='1"

  • var name='" OR "1"="1';

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "\" OR \"1\"=\"1"

  • quoting the param name in the query: "WHERE name = ':name'"

    evaluated as: SELECT * FROM OUser WHERE name = ':name'

Feel free to try more combinations, in my opinion seems quite safe.