Escape single quotes in the input query

tediousjs / node-mssql

Microsoft SQL Server client for Node.js

https://tediousjs.github.io/node-mssql

MIT License

2.23k stars 468 forks source link

Escape single quotes in the input query #1380

Closed max-programming closed 2 years ago

max-programming commented 2 years ago

What this does:

I recently got into a situation where people were adding single quote. And when I added that to the database inside the query, it throws an error. To fix this issue, I replaced the single quotes directly in the library

Related issues:

None

Pre/Post merge checklist:

[ ] Update change log

dhensby commented 2 years ago

😬

That shows you're not doing any sanitisation of your users input which is a huge security issue in your site.

The fix is not for this library to make opinionated changes to inputs, it's for you to use the database layer safely.

This recent issue may be helpful for you. But you also need to read into SQL injection vulnerabilities and mitigation before your site gets pwned.

max-programming commented 2 years ago

Okay thanks @dhensby for helping me out on this. I was really confused about this.