Igor Kasuan Igor Kasuan - 1 month ago 11
Node.js Question

Should I use escape strings in sequelize (node.js)?

I have a function that fetches products with offset and limit.

function f(offset,limit, callback) {
models.Product.findAll({
offset: offset,limit: limit
}).then(function (products) {
...
}).catch(function (error) {
callback(error, null);
});
}


Server gets offset and limit via POST query from client.
Should I check limit and offset values myself or sequelize will do it instead of me? Will it catch all errors in 'catch' method?

For example, server expected values - offset:0, limit: 100,
but got - offset: -87, limit: 'rchk' or some kind of sql injection.

Should I pass this data to findAll or check input data myself before passing?

Answer

Sequelize will escape (to prevent injection attacks) the limit and offset values for you. It won't, however, validate it for you, so if you don't want a SequelizeDatabaseError thrown when some fool passes 'limit: monkeys' then you need to screen that yourself.

If you were running raw queries (with Sequelize#query then you'd want to use placeholders as t.niese suggests)

Comments