Calling query.getSQL(ParamType.NAMED) returns a query string with params placeholders in format :1, :2, :3::myenum etc. Since I am mixing jooq with vert.x, I am looking for a way to represent params placeholders in a format using $ instead of colon: $1, $2, $3, which will be more elegant than force replacing on each query creation. Is there any way to manage this through jooq configuration or by any other way?
You're looking for Settings.renderNamedParamPrefix
Related
In my node.js serverless app (aws-lambda function), I got input validation using jsonschema.
I want to have the ability to avoid making SQL injection to my server side code.
Is there any option to use jsonschema to validate such cases ?
Alternatively, which minimal regex could help us check this case ?
I will state unequivocally that validating a JSON document with jsonschema has nothing to do with SQL injection defense.
In other words, a JSON document can pass jsonschema validation but still present a SQL injection risk.
Here's a valid JSON document:
{
"film": "Singin' in the Rain",
"year": 1952
}
This would pass a jsonschema that requires the keys "film" and "year" in the object.
But it's unsafe to use in an SQL expression, because of the apostrophe character in "Singin' in the Rain".
Suppose you were to use this JSON content unsafely, by interpolating it directly into an SQL query string:
// UNSAFE!
var sqlQuery = `INSERT INTO Films SET attributes = '${jsonDocument}'`
This will result in imbalanced quotes, and at best this causes an SQL syntax error when you execute the query.
INSERT INTO Films SET attributes = '{ "film": "Singin' in the Rain, "year": 1952 }'
^ error
There might be an opportunity for attackers to exploit it, but it's bad enough that it results in syntax errors.
The proper solution to most SQL injection problems is to use query parameters. Keep the javascript variables separate from the SQL query string. Instead, pass variables as parameters.
// SAFE!
var sqlQuery = `INSERT INTO Films SET attributes = ?`
db.query(sqlQuery, [jsonDocument]).then(...);
I'm currently writing an app that accesses google bigquery via their "#google-cloud/bigquery": "^2.0.6" library. In one of my queries I have a where clause where i need to pass a list of ids. If I use UNNEST like in their example and pass an array of strings, it works fine.
https://cloud.google.com/bigquery/docs/parameterized-queries
However, I have found that UNNEST can be really slow and just want to use IN on its own and pass in a string list of ids. No matter what format of string list I send, the query returns null results. I think this is because of the way they convert parameters in order to avoid sql injection. I have to use a parameter because I, myself want to avoid SQL injection attacks on my app. If i pass just one id it works fine, but if i pass a list it blows up so I figure it has something to do with formatting, but I know my format is correct in terms of what IN would normally expect i.e. IN ('', '')
Has anyone been able to just pass a param to IN and have it work? i.e. IN (#idParam)?
We declare params like this at the beginning of the script:
DECLARE var_country_ids ARRAY<INT64> DEFAULT [1,2,3];
and use like this:
WHERE if(var_country_ids is not null,p.country_id IN UNNEST(var_country_ids),true) AND ...
as you see we let NULL and array notation as well. We don't see issues with speed.
I am using mysql-node: https://github.com/mysqljs/mysql but I am a little confused about default sanitization, Mysql.Escape() vs Mysql.EscapeId() and the use of ? vs ??. The docs says?
Default Sanitization
When you pass an Object to .escape() or .query(), .escapeId() is used
to avoid SQL injection in object keys.
I see the term Object, so does that mean I should still escape queries like this?
UPDATE table SET updated_at = userInput WHERE name = userInput.
Mysql.Escape() vs Mysql.EscapeId()
What is the difference between these two functions. The docs says mysql.escape uses mysql.escapeId. I know they both sanitize input but is there a case where you use one or the other?
? vs ??
The docs use ? and ?? interchangeably. Do they mean the same thing?
The documentation describes what escape() and escapeId() do. Use escape() when you need to escape values. Use escapeId() when you need to escape identifiers (e.g., table, database, or column names).
I talked to the maintainer of mysqljs and confirmed that this package doesn't escape queries by default.
When you pass an Object to .escape() or .query(), .escapeId() is used
to avoid SQL injection in object keys.
The statement above means queries will be escaped if you use one of the following methods.
let args = { name: 'myname' otherVals: 'blah blah'};
mysql.query('Insert INTO table SET ?',args);
let name = 'test';
mysql.query('INSERT INTO table SET name = ?', [name]);
For the second part of the questions: ?? and escapeId is used for identifiers and ? and escape() is used for values.
Is there any solution to search by multiple string keys in the Couchbase?
For example I have an index:
emit(['example', doc.field1, doc.field2], doc.id);
And field1 and field2 are string variables.
I cannot use startkey and endkey because compound array index key is still treated as a string. So I have problem like this. But also I have string keys. So I cannot use Spatial Views.
Is there any solution other than a finding of multiple result sets for each part of the key, and then finding their intersection?
If you are limited to using views, then as you already discovered, there is no way to filter by independent fields.
If you are using (or can upgrade to) Couchbase 4.x, then you can do this with a simple N1QL query:
SELECT * FROM bucket WHERE field1 = 'bla' AND field2 ='blabla'
Be sure to create indexes on the two fields:
CREATE INDEX ix_field1 ON bucket(field1)
I am currently using the node-mysql library to connect my application to a MySQL instance. After reading some other StackOverflow questions and articles I found, it sounds like node-mysql automatically escapes unsafe characters every time the query() method is called. But on some code snippets, I also see mysql.escape() and mysql.escapeId() being called within the query() method.
It seems like that while query() automatically escapes some dangerous characters, you should still call mysql.escape() and mysql.escapeId() to escape other dangerous characters.
Is this correct? If so, what kind of SQL injection attacks are automatically protected against by the query() method and what kind of SQL injection attacks are protected by calling mysql.escape() and mysql.escapeId()?
No, query() does not automatically escape unsafe characters.
To safely escape values, you need to use mysql.escape()/mysql.escapeId() or use ? placeholders as described here:
https://github.com/felixge/node-mysql#escaping-query-values
connection.query('SELECT * FROM users WHERE id = ?', [userId], function(err, results) {
// ...
});
And this is how to escape INSERT VALUES() because all examples everywhere is with ? for SET method, for escaping VALUES(Data,Data) that are separate by comma you can use template string. Also escape command when data are empty its replace by NULL
(`INSERT INTO data VALUES (NULL,${c.escape(data.Name)},${c.escape(data.age)},${c.escape(data.emptystring)})`,
//INSERT INTO data VALUES (NULL,'Adam',24,NULL})