Avoid SQL injection by using prepared statements - Githubissues

dan1t0 / Rest_Wifi-Pi

Very simple (and alfa) API to manage RaspWifi-Pi

1 stars 1 forks source link

Avoid SQL injection by using prepared statements #1

Closed javuto closed 9 years ago

javuto commented 9 years ago

Concatenating strings can lead to SQL injections. Let's avoid that by using prepared statements and parametrizing queries. Example: https://github.com/dan1t0/Rest_Wifi-Pi/blob/master/clients.js#L56

jpenalbae commented 9 years ago

Documentation for sqlite3 npm module contains some prepared statements examples https://www.npmjs.com/package/sqlite3

  var stmt = db.prepare("INSERT INTO lorem VALUES (?)");
  for (var i = 0; i < 10; i++) {
      stmt.run("Ipsum " + i);
  }
  stmt.finalize();

Also check: https://github.com/mapbox/node-sqlite3/wiki/API#databasepreparesql-param--callback https://github.com/mapbox/node-sqlite3/wiki/API#statementeachparam--callback-complete

dan1t0 commented 9 years ago

@jesusprubio fixed the bug. (https://github.com/dan1t0/Rest_Wifi-Pi/blob/master/clients.js#L58) https://github.com/dan1t0/Rest_Wifi-Pi/commit/778f5e03fb7c29b414a784bcea95bd5027527365

thanks @jpenalbae and yisus