admin管理员组

文章数量:1304186

This is a follow up question to .

It mentions knex('table').where('description', 'like', '%${term}%') as prone to sql injection attacks. Even a ment mentions the first case as prone to injection attacks. Yet the reference provided never mentions .where being prone to injection attacks.

Is this a mistake? Why would knex allow .where to be prone to injection attacks but not .whereRaw('description like \'%??%\'', [term]) . Aren't the arguments being parameterized in both cases?

This is a follow up question to https://stackoverflow./a/50337990/1370984 .

It mentions knex('table').where('description', 'like', '%${term}%') as prone to sql injection attacks. Even a ment mentions the first case as prone to injection attacks. Yet the reference provided never mentions .where being prone to injection attacks.

Is this a mistake? Why would knex allow .where to be prone to injection attacks but not .whereRaw('description like \'%??%\'', [term]) . Aren't the arguments being parameterized in both cases?

  • javascript
  • sql
  • knex.js
Share Improve this question asked Jan 8, 2020 at 21:36 SILENTSILENT 4,2787 gold badges42 silver badges66 bronze badges 3
  • @tadman This is a real issue? I looked at knex's where documentation and it doesn't mention it being sql injection prone. knexjs/#Builder-where In fact, the only mention of sql injection attacks is for Raw - knexjs/#Raw . This is concerning. What other features of knex are prone to sql injection attacks? – SILENT Commented Jan 8, 2020 at 22:08
  • Knex maintenance here. Hi! I just wanted to mention also here that the premises of this question are all false and please ignore @tadman's ments here. One should not even use ?? binding in this case. tl;dr fake news – Mikael Lepistö Commented Jan 10, 2020 at 10:10
  • @MikaelLepistö Thanks for clarifying. – tadman Commented Jan 10, 2020 at 19:48
Add a ment  | 

1 Answer 1

Reset to default 11

This is a follow up question to https://stackoverflow./a/50337990/1370984 .

It mentions knex('table').where('description', 'like', '%${term}%') as prone to sql injection attacks. Even a ment mentions the first case as prone to injection attacks. Yet the reference provided never mentions .where being prone to injection attacks.

I'm knex maintainer and I have mented there that 

knex('table').where('description', 'like', `%${term}%`)

is NOT vulnerable to SQL injection attacks.

Is this a mistake? Why would knex allow .where to be prone to injection attacks but not .whereRaw('description like \'%??%\'', [term]) . Aren't the arguments being parameterized in both cases?

That .whereRaw is vulnerable when you interpolate values directly to sql string (like for example ?? identifier replacement does).

Correct use for .whereRaw in this case would be for example:

.whereRaw("?? like '%' || ? || '%'", ['description', term])

Where all identifiers are quoted correctly and term is sent to DB as parameter binding.

So the answer and most of the ments added to that answer are just plain wrong.

本文标签: javascriptIs knexwhere prone to sql injection attacksStack Overflow

版权声明:本文标题:javascript - Is knex.where prone to sql injection attacks? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741767974a2396577.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。