if you are using Express and the Express query parser, you might be doing something like GET /users?id=xxx
And in your app:
db.query('SELECT * FROM users WHERE id = ?', [req.query.id])
I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.
So, an attacker could do GET /users?id[id]=1 which Express translates to {"id":"1"} which ends up as
SELECT * FROM users WHERE id = id = '1'
I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.
The text was updated successfully, but these errors were encountered:
tellnes
added a commit
to tellnes/node-mysql
that referenced
this issue
May 28, 2013
Hi,
if you are using Express and the Express query parser, you might be doing something like
GET /users?id=xxxAnd in your app:
db.query('SELECT * FROM users WHERE id = ?', [req.query.id])I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.
So, an attacker could do
GET /users?id[id]=1which Express translates to{"id":"1"}which ends up asSELECT * FROM users WHERE id =id= '1'I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.
The text was updated successfully, but these errors were encountered: