2

So I have the following object with is made by data submitted by the user in order to sign up:

  var dataToInsert = { 
  userName: 'Wilson J',
  userEmail: '[email protected]',
  userAddress: '2020 St.',
  userCellPhone: '95587412',
  }

And I'm using the following query to insert it: 

 var insertQuery = `INSERT INTO users ( ${Object.keys(dataToInsert).toString()} ) VALUES( '${Object.values(dataToInsert).join("','")}' )`;

Which at the end is taken as: 

INSERT INTO
  users (
    userName,
    userEmail,
    userAddress,
    userCellPhone
  )
VALUES
  (
    'Wilson J',
    '[email protected]',
    '2020 St',
    95587412
  )

So far I'm having a hard time understanding how data escaping works. I'd really appreciate if someone could show me how a SQL Injection could take place with this code and how to prevent it.

I'm using the MysQl npm module and it has this method: mysql.escape() but I would like to find a more automated approach instead of escaping every single value manually.

Improve this question
1
  • Curious, why do you uppercase only the Q in MySQL? Commented Oct 19, 2018 at 12:34

2 Answers 2

Reset to default
2

In this day and age, it's actively discouraged to do anything other than bind variables to your query. See this for more information on other ways to escape data:

connection.query(`
    INSERT INTO users ( ${Object.keys(dataToInsert).toString()} ) VALUES (?)`, 
    Object.values(dataToInsert),
    function (error, results, fields) {
      if (error) throw error;
      // ...
    }
);

Word of caution: You wont be able to bind variables to the column names, so unfortunately that part of the query is necessary. Ensure your keys of your dataToInsert are either static, or not from any user input.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

@Nick If you read the attached link: Arrays are turned into list, e.g. ['a', 'b'] turns into 'a', 'b'. I am missing the first set of parenthesis, though.
I see. So the question mark is gonna be replaced by the whole list of values? Is each one of them gonna be escaped? Also could you show me an example of SQL injection with the non-escaped code? Thanks for your time!!
There is no such thing as "Escaping" when you're binding variables. You tell MySQL: This is my query, the ? is where you put the variables I send you, and the second parameter is the values I want to send. Just add a single quote to any of your variables, and you'll see the query break in your code.
Wouldn't the code still be vulnerable to SQL injection in that case?
No, because you're explicitly telling MySQL that these (The array in my example) are variables, and they should be placed into the query at the ?
1

Alternatively, you can use ? characters as placeholders for values you would like to have escaped like this: [...]

There is a way. https://github.com/mysqljs/mysql#user-content-escaping-query-values

Improve this answer

1 Comment

to add to this. there is a ? for value escaping, and ?? for column escaping.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.