JesterXL JesterXL - 5 months ago 72
Node.js Question

Preventing SQL Injection in node-oracledb

Does node-oracledb escape / sanitize queries? It has parameterized queries via binding:

connection.execute(
"INSERT INTO countries VALUES (:country_id, :country_name)",
[90, "Tonga"],
function(err, result)
{
if (err)
console.error(err.message);
else
console.log("Rows inserted " + result.rowsAffected);
});


I looked in the documentation and took a quick ready through of the source code, but nowhere does it state nor show that it escapes the queries.

If it does not, I was thinking of using a combination of node-mysql as well as copious predicates on the user input and queries before passing to the
connection.execute
method.

Answer

The driver doesn't do the escaping, the database does, but only when you use bind variables rather than string concatenation.

The example you showed is correct and safe.

Here's an example of how to do it the WRONG way which opens you up to SQL injection:

connection.execute(
  "INSERT INTO countries VALUES (" + countryId + ",'" + countryName + "')",
  function(err, result)
  {
    if (err)
      console.error(err.message);
    else
      console.log("Rows inserted " + result.rowsAffected);
  });