Tuesday 5 December 2017

node.js - What are Best Practices for preventing SQL injection in node-mysql?

There has been some discussion on this topic (e.g. href="https://stackoverflow.com/questions/15778572/preventing-sql-injection-in-node-js">Preventing
SQL injection in Node.js )but really no clear-cut clarity or a deep
discussion, let alone good documentation anywhere. The node-mysql docs discuss
prevention of SQL injection and some escape functions. However, it is unclear how these
functions prevent SQL injection. The manual says "Strings are safely escaped." Nothing
more... Is that limited to escaping some characters
only?



There seem to be other equivalents in
node-mysql for the same function as in connection.escape and pool.escape with an
emphasis again that these functions are used to prevent SQL injection.




There also does not seem to be
support for a true prepare statement in node-mysql. The plans and documentation are
again unclear on this. Node-mysql is clearly a very popular module in the node.js
environment and fairly stable at least in the limited experience I had with it.
What are the Best Practices for preventing SQL injection in
node-mysql?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...