SQL Injection and Parameterized query

[ali-7]

https://github.com/FACG6/productApp/blob/036198c947adbdf06838e02328cb3be0d4db6187/src/queries/addData.js#L3-L5

this query here are vulnerable to SQL injection, you need to use parameterized query

your query well look like this

const addProduct = (name, proDate, expDate, companyId, cb) => { 
const sql = ' INSERT INTO product (name, pro_date, exp_date, company_id) VALUES ($1,$2,$3,$4)'
const values = [name, proDate, expDate, companyId];
   dbConnection.query( sql,values, (err, res) => { 

[ali-7]

simple example

const sql= 'INSERT INTO users(name, email) VALUES($1, $2)'
const values = ['ali', 'ali@ali.com']

pool.query(sql, values, (err, res) => {
  if (err) console.log(err)
   console.log(res.rows)      // { name: 'ali', email: 'ali@ali.com' }
})

or

const sql= {
  text: 'INSERT INTO users(name, email) VALUES($1, $2)',
  values: ['ali', 'ali@ali.com'],
} 

pool.query(sql, (err, res) => {
  if (err) console.log(err)
   console.log(res.rows)      // { name: 'ali', email: 'ali@ali.com' }
})

[ali-7]

Why use Parameterized Query

1- The most important reason to use parameterized queries is to avoid SQL injection attacks. 2- Secondly parameterized query takes care of scenario where sql query might fail for e.g. inserting of O'Baily in a field. Parameterized query handels such query without forcing you to replace single quotes with double single quotes.

https://stackoverflow.com/questions/4712037/what-is-parameterized-query

[Anies12]

Noticed ,, Thanks @ali-7