XSS & SQL Injection?

Reply to XSS & SQL Injection? on Sun, 19 Jul 2020 08:22:25 GMT

Wassim — Sun, 19 Jul 2020 08:22:25 GMT

I'd like to share another method which is less error prone :

function escapeSQL(strings, ...vars) {
    return vars.reduce((str, v, i) => {
        if (typeof(v) == 'string') {
            return str + v.replace(/'/g, "''") + strings[i+1];
        } else {
            return str + v + strings[i+1];
        }
    }, strings[0]);
}
var myParam = event.POST.myParam;
var myParam2 = event.POST.myParam2;
var query = escapeSQL`SELECT * FROM MyTable WHERE myColumn='${myParam }' AND mySecondColumn='${myParam2 }'`

This way your query won't be extra long as you don't have to call a function for each parameter

Reply to XSS & SQL Injection? on Sun, 19 Jul 2020 06:06:07 GMT

Joseph Benguira — Sun, 19 Jul 2020 06:06:07 GMT

We do protect for SQL Injection the Visual SQL endpoints, but for real languages (Node.js, C#, Java, Python, ...)
since it's your own code you have to do it by yourself of use a library ...

In node.js here is how you can protect a parameter from SQL Injection:

You need this function

function Clean(txt){
     if ( txt == null) {  return "";  }
     else{
          return txt.replace(/\'/g, "''");
     }
}

Then you can call it like this:

var myParam = event.POST.myParam;
var SQL = "SELECT * FROM MyTable WHERE myColumn = '" + Clean(MyParam) + "'";

Here is another equivalent syntax with brackets & backticks:

var myParam = event.POST.myParam;
var SQL = `SELECT * FROM MyTable WHERE myColumn = '${Clean(MyParam)}'`;

Reply to XSS & SQL Injection? on Sat, 18 Jul 2020 11:45:22 GMT

Daniel Mulroy — Sat, 18 Jul 2020 11:45:22 GMT

FWIW, from what i've seen, there is no protection against SQL injection in the input you receive, it's raw from the sender.

Not sure about XSS/CORS settings.