How safe is helpers concat against SQL injections #887
Replies: 1 comment 2 replies
-
|
SQL injection is the issue with bad query-parameter escaping, when values are concatenated. This does not extend to queries as such, because you do not pass entire queries as URL parameters, but if you do - the flaw is then by design, no safety there. Please use StackOverflow or Discussions ere for questions. This is for issues/bugs only. Moving it to Discussions now. |
Beta Was this translation helpful? Give feedback.
-
|
Just wondering, for example if I have 2 queries with parameters for example: INSERT INTO sometable (id, value) VALUES ($1, $2);
INSERT INTO othertable (id, value) VALUES ($1, $2);After I use the concat utility which will produce single statement without parameters: INSERT INTO sometable (id, value) VALUES ('somevalue', 'somevalue'); INSERT INTO othertable (id, value) VALUES ('somevalue', 'somevalue');I wonder what the concat helper does to prevent that SQL injection is possible, say someone is trying to use this: $1 = "random'); DELETE FROM randomtable; --"Will it result in a concated INSERT INTO sometable (id, value) VALUES ('somevalue', 'random'); DELETE FROM randomtable; --'); INSERT INTO othertable (id, value) VALUES ('somevalue', 'random'); DELETE FROM randomtable; --'); |
Beta Was this translation helpful? Give feedback.
-
|
The method concatenates queries after formatting the values, not the other way round. So we have N safe queries joint together. Not sure how you can break that. Other than that, you can try it yourself. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I am currently using pgp.helpers.concat to batch up mutation queries (insert, update, delete) to reduce roundtrips, however since the string is concated into 1 single query without paramaters I wonder how safe it is against SQL injections?
Beta Was this translation helpful? Give feedback.
All reactions