My project uses this package a ton, and we recently realized that one of our major calls was susceptible to sql injection. The culprit is an interpolated string being used in selectRaw. By adding knew.raw string bindings to the function, we can use knex's built-in sql injection handling.
I also added the orWhereParentheses implementation as not having this is preventing us from executing some complicated filtering logic
wwwouter
commented
2 years ago
My project uses this package a ton, and we recently realized that one of our major calls was susceptible to sql injection. The culprit is an interpolated string being used in
selectRaw. By adding knew.raw string bindings to the function, we can use knex's built-in sql injection handling.I also added the
orWhereParenthesesimplementation as not having this is preventing us from executing some complicated filtering logic