Reputation: 6045
How to deal with SQL Injection in OrientDB using nodejs?
I'm using the orientjs library to perform operations in the Orient Database. I read in the documentation that it's possible to use parameter-style queries like the following:
db.query(
'SELECT name, ba FROM Player '
+ 'WHERE ba >= :ba AND team = ":team"',
{params: {
ba: targetBA,
team: targetTeam }
}, limit: 20
).then(function(hitters){
console.log(hitters)
});
My question is: Is it enough to prevent SQL injection? Because I didn't find information about that in the NodeJS API. In the case of Java, there is a 'Prepared Query' concept, I'm not sure if they are refering to the same thing.
Upvotes: 3
Views: 589
Answers (1)
Reputation: 1982
Seems to be secure, I'm trying with this code (yours taken from the wiki is a bit buggy):
var name='admin';
db.open().then(function() {
return db.query(
"SELECT * FROM OUser "
+ "WHERE name = :name",
{params:{
name: name
}
});
}).then(function(res){
console.log(res);
db.close().then(function(){
console.log('closed');
});
});
First of all, the query is parsed as SELECT * FROM OUser WHERE name = "admin" (observed with the Studio Query Profiler).
As expected, I get the admin user record.
Since the params are evaluated directly as String, there's non need quote them (e.g. :name not ':name'). So there is no way to inject something like ' OR '1'='1 or any ; drop something;
Here are some test I did:
var name='; create class p;';returns no records;
evaluated by orient as:
SELECT * FROM OUser WHERE name = "; create class p;"var name="' OR '1'='1";returns no records;
evaluated as:
SELECT * FROM OUser WHERE name = "' OR '1'='1"var name='" OR "1"="1';returns no records;
evaluated as:
SELECT * FROM OUser WHERE name = "\" OR \"1\"=\"1"quoting the param name in the query:
"WHERE name = ':name'"evaluated as:
SELECT * FROM OUser WHERE name = ':name'
Feel free to try more combinations, in my opinion seems quite safe.
Upvotes: 5
Related Questions
- Preventing SQL injection in Node.js
- Avoid injection in SQL LIKE query in Node js
- Preventing Nodejs MySQL SQL Injection
- Prevent SQL Injection in JavaScript / Node.js
- Prevent SQL Injection with Nodejs and Postgres
- Node JS SQL prevent sql injection
- How can I prevent SQL injection with Node.JS?
- How to make a Queries from the server in Node.js to the database OrientDB
- Preventing SQL Injection in node-oracledb
- Unable to make query to OrientDB using Orientjs