Sql injection prevention

[martinell]

I am starting to use this module. Before, I was using the pg driver directly and I was able to prevent sql injection attacks by using placeholders in the queries and passing the parameters to the driver. Wen I started using jugglingdb I realized now I am able to inject sql code into the queries.

[1602]

If you familiar with pg driver, it would be great if you provide some examples, or, better send pull request. Thanks!

[ammmir]

the code should be updated to use $ positional parameter markers, for example:

client.query("SELECT * FROM users WHERE username=$1", ["ammmir"], function(err, result) {...});

when done this way, the pg driver sends the query to the server for parameter binding so the client doesn't need to worry about escaping.

[martinell]

I've worked on that in my fork https://github.com/martinell/jugglingdb-postgres/commits/master. It is in an early stage because it still has some replicated code. This is because there are some dependencies with the jugglingdb module. To fully apply prepared statements, some modifications would be required on that code and that would affect the mysql adapter. This might require to review the interface between the ORM and the sql adapters.

[1602]

In postgres adapter you can override anything from base sql, if it doesn't
solve your issue feel free to fix API between adapter and base.

On Sun, Jan 20, 2013 at 6:25 PM, Luis notifications@github.com wrote:

I've worked on that in my fork
https://github.com/martinell/jugglingdb-postgres/commits/master. It is in
an early stage because it still has some replicated code. This is because
there are some dependencies with the jugglingdb module. To fully apply
prepared statements, some modifications would be required on that code and
that would affect the mysql adapter. This might require to review the
interface between the ORM and the sql adapters.

—
Reply to this email directly or view it on GitHubhttps://github.com/1602/jugglingdb-postgres/issues/9#issuecomment-12469116.

Thanks,
Anatoliy Chakkaev

[markandrus]

@1602 @martinell is this still an issue? Can you provide an example of how SQL injection can occur?

[martinell]

For what I can see, the code of the adapter looks the same as before I did my changes to it on my fork (https://github.com/martinell/jugglingdb-postgres/commits/master). There you can find some tests I added to check SQL injection (https://github.com/martinell/jugglingdb-postgres/blob/ec91a67d983aae1dddbcad525e51a7734ba2aa84/test/postgres.js).