Reputation: 1341
SQL injection in Node Mysql library
I was trying to do some sql injection in node mysql library.
I have an Insert query written in Nodejs using by doing:
pool.query(`Insert into orders(orderType,CustomerID,storeNumber,stageNumber) Values('${orderType}',${customerID},'${storeNumber}','${stageNumber}')`,function(err,rows,fields){
if(err){
console.log(err)
}
var orderID=rows.insertId
}
All of the varaibles comes form a form which I am receiving using req.body
In the stageNumber field in the form instead of the storeNumber I was writing:
'); Delete from orderDetail;
This did not delete anything from my table
From my console.log(err) i get
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Delete from orderDetail;')'
I cannot think of a way to remove the ')' but I know where it is coming from. Is it even possible to do SQL injection in Node MySQL library?
Upvotes: 0
Views: 83
Answers (1)
Reputation: 510
Have you already tried
'); Delete from orderDetail; --
This will ignore any characters post -- and should ideally work in this case.
Upvotes: 1
Related Questions
- Node.JS - SQL server query with parameters to prevent SQL injection
- use quotes in sql query node.js
- Preventing SQL injection in Node.js
- Avoid injection in SQL LIKE query in Node js
- Preventing Nodejs MySQL SQL Injection
- Prevent SQL Injection in JavaScript / Node.js
- Node JS SQL prevent sql injection
- mysql escaping string node js`
- How can I prevent SQL injection with Node.JS?
- How to use sql-injection package in Node.js application?