Closed Moebits closed 2 years ago
Why do you want your own column names? Making things too configurable will make the module needlessly complex. I'm not sure I'm convinced of the benefit of adding this.
No one should be passing in column names from unsanitized input, so I don't think that SQL injections are an issue.
Well, #151 begs to differ, which caused https://github.com/voxpelli/node-connect-pg-simple/security/advisories/GHSA-xqh8-5j36-4556
Why do you want your own column names?
For naming consistency sake, I don't use abbreviations in my column names which is why I prefer using "sessionID" and "session".
Well, #151 begs to differ, which caused GHSA-xqh8-5j36-4556
You solved this by adding the function escapePgIdentifier() to escape double quotes, which I am also using for the column names.
SQL injection is possible if they pass in unsanitized input for the column name, and this is already possible for the table name too. You should warn people to only pass in a hardcoded string for the column/table names in the readme.
Why do you want your own column names?
For naming consistency sake, I don't use abbreviations in my column names which is why I prefer using "sessionID" and "session".
But this is internally within the dedicated session table? And shouldn't be used by anyone else? So it won't really matter which names they have? Or where are you getting exposed to them?
it won't really matter which names they have?
It’s purely a matter of personal preference, changing the column names doesn’t have a functional difference. I’d just rather use names which aren’t abbreviated.
I want to use my own column names, but this module uses hardcoded column names.
With this modification, you should be able to pass a custom
sidColumnName
,sessColumnName
, orexpireColumnName
.No one should be passing in column names from unsanitized input, so I don't think that SQL injections are an issue.
I only modified some of the tests because PostgreSQL seems to be returning the numbers as strings without an explicit type cast.
Code Example: