Christopher Allen Christopher Allen - 3 months ago 17
MySQL Question

Escaping Node.JS MySQL Issues

Im creating a daemon that automatically changes MYSQL table contents randomly around my pages. (wordpress tables)

I have a array of stories that the system will read and then UPDATE the mysql in the tables, and as well update the timestamp on the server.

My code looks like this

//required libraries
fs = require('fs')
var mysql = require('mysql');
var dateFormat = require('dateformat');
var now = new Date();

//mysql table
var connection = mysql.createConnection({
host : 'yomamabinshoppin',
user : 'nonya',
password : 'defineltynonya',
database : 'okbye'
});


connection.connect();


//sitelisting
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts'];

//select story from catalogue
function ss (id,callback){
fs.readFile('./' + id +'.txt', 'utf8', function (err,data) {
callback(data);
});}

sites.forEach(function(entry) {
ss(Math.floor(Math.random() * 12), function (returnvalue){
fs.writeFile(entry, returnvalue);
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) {

if (err) throw err;


});
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) {

});
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1", function(err, rows, fields) {

if (err) throw err;
});

});


});


The issue in question here is at the line of

fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+entry+"` SET `post_content` = '"+returnvalue+"' WHERE `"+entry+"`.`ID` = 1" , function (err) {

});


Where returnvalue is my story, and where entry is the current table name.

Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual th
at corresponds to your MySQL server version for the right syntax to use near 're
frightened can become a safety issue. When designing something to scare visit'
at line 1


The story that it is referring to has the text of this.

SCARE PEOPLE THE RIGHT WAY.
"We always try to scare forward to try to keep the flow going," Travis says. "A lot of times we try to scare further down the path rather than being scared into the wall," which slows the circulation of traffic through the maze.
Plus, where people instinctively move when they're frightened can become a safety issue. When designing something to scare visitors, you have to think about how people will react—and what they might jump into if they leaped backward in terror. "You never really know how bad something is going to scare somebody," Travis explains. "We try to keep the opposite wall clear from any kind of metal props or anything like that."


At first i thought the issue was related to some html in my stories, so i removed ALL of the html in the stories, same issue was happening.

Any advice to how i could fix this?
Thank you.

UPDATE 1
After escaping the variables for the Query, the modified code, still the same parsing issue on the SQL end

//required libraries
fs = require('fs')
var mysql = require('mysql');
var dateFormat = require('dateformat');
var now = new Date();

//mysql table
var connection = mysql.createConnection({
...
});


connection.connect();


//sitelisting
var sites = [ 'wp_counlwarehouseposts', 'wp_infounlwarehouseposts', 'wp_infowarehouse31posts', 'wp_netunlwarehouseposts', 'wp_netwarehouse31posts', 'wp_orgunlwarehouseposts', 'wp_orgwarehouse31posts', 'wp_stagcomwarehouseposts', 'wp_stagcowarehouseposts', 'wp_staginfwarehouseposts', 'wp_stagnetwarehouseposts', 'wp_stagorgwarehouseposts'];

//select story from catalogue
function ss (id,callback){
fs.readFile('./' + id +'.txt', 'utf8', function (err,data) {
callback(data);
});}

sites.forEach(function(entry) {
ss(Math.floor(Math.random() * 12), function (returnvalue){
fs.writeFile(entry, returnvalue);
connection.query("UPDATE `warehous_wordpress`.`"+entry+"` SET `post_date` = '"+ dateFormat(now, "yyyy-m-d") +" 01:00:01' WHERE `"+entry+"`.`ID` =1", function(err, rows, fields) {

if (err) throw err;


});
fs.appendFile('postlog.log', "UPDATE `warehous_wordpress`.`"+ entry + "` SET `post_content` = '"+ mysql.escape(returnvalue) +"' WHERE `"+ entry +"`.`ID` = 1" , function (err) {

});
connection.query("UPDATE `warehous_wordpress`.`"+ entry +"` SET `post_content` = '" + mysql.escape(returnvalue) + "' WHERE `"+ entry +"`.`ID` = 1", function(err, rows, fields) {

if (err) throw err;
});

});


});

Answer

You need to always escape your variables correctly.

If your returnvalue is they're then this portion of your query:

SET `post_content` = '" + returnvalue + "' WHERE

will become:

SET `post_content` = 'they're' WHERE

As you can see, this will result into a syntax error at 're

In the worst case this can be used to inject some data into your database. If returnvalue e.g. would be they', ID='1, then your query will be:

SET `post_content` = 'they', ID='1' WHERE

So you always have to escape you values, either using ? or mysql.escape

Using ?? and ?:

connection.query(
  "UPDATE `warehous_wordpress`.?? SET `post_content` = ? WHERE ??.`ID` = 1",
  [entry, returnvalue, entry] , 
  function(err, rows, fields) {});

Using mysql.escapeId and mysql.escape:

connection.query(
    "UPDATE `warehous_wordpress`." + mysql.escapeId(entry) +
    " SET `post_content` = " + mysql.escape(returnvalue) + 
    " WHERE " + mysql.escapeId(entry) + ".`ID` = 1",
    function(err, rows, fields) {});

I would suggest you to use ? and ??.