Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent SQL injections by escaping function arguments properly #5

Open
dmagda opened this issue Sep 7, 2023 · 1 comment
Open

Prevent SQL injections by escaping function arguments properly #5

dmagda opened this issue Sep 7, 2023 · 1 comment

Comments

@dmagda
Copy link
Owner

dmagda commented Sep 7, 2023

For instance, the string args are wrapper into single quotes that is a backdoor for SQL injections:
https://github.com/dmagda/pg-compute-node/blob/main/compute/pg_compute.js#L208

Review other places for potential vulnerabilities.
@billkarwin
Copy link

billkarwin commented Sep 7, 2023
edited
Loading

Also delimit variables that contain schema names or function names or other identifiers when you concatenate them into dynamic SQL. PostgreSQL uses double-quotes as the identifier delimiter.

Remember to check for the variable's content for literal double-quote characters, and replace them with two double-quotes. You might think no one would be silly enough to use literal double-quote characters in their identifiers, but they do. Just as they use reserved keywords or whitespace or punctuation in their identifiers. Any of these cases would break the line of code you linked to.

It doesn't have to be a malicious SQL injection attack, it can just be that some developer naively named their function "my function" (with a space).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@billkarwin @dmagda