XSS & SQL Injection?

Thomas D

Do you filter parameter inputs from this or do we need to do this in code?

Daniel Mulroy

FWIW, from what i've seen, there is no protection against SQL injection in the input you receive, it's raw from the sender.

Not sure about XSS/CORS settings.

Joseph Benguira

We do protect for SQL Injection the Visual SQL endpoints, but for real languages (Node.js, C#, Java, Python, ...)
since it's your own code you have to do it by yourself of use a library ...

In node.js here is how you can protect a parameter from SQL Injection:

You need this function

function Clean(txt){
     if ( txt == null) {  return "";  }
     else{
          return txt.replace(/\'/g, "''");
     }
}

Then you can call it like this:

var myParam = event.POST.myParam;
var SQL = "SELECT * FROM MyTable WHERE myColumn = '" + Clean(MyParam) + "'";

Here is another equivalent syntax with brackets & backticks:

var myParam = event.POST.myParam;
var SQL = `SELECT * FROM MyTable WHERE myColumn = '${Clean(MyParam)}'`;

Wassim

I'd like to share another method which is less error prone :

function escapeSQL(strings, ...vars) {
    return vars.reduce((str, v, i) => {
        if (typeof(v) == 'string') {
            return str + v.replace(/'/g, "''") + strings[i+1];
        } else {
            return str + v + strings[i+1];
        }
    }, strings[0]);
}
var myParam = event.POST.myParam;
var myParam2 = event.POST.myParam2;
var query = escapeSQL`SELECT * FROM MyTable WHERE myColumn='${myParam }' AND mySecondColumn='${myParam2 }'`

This way your query won't be extra long as you don't have to call a function for each parameter