node-datatable icon indicating copy to clipboard operation
node-datatable copied to clipboard
verified publisher icon jpravetz

Warning about injection attacks

Open brynnbp opened this issue 9 years ago • 1 comments

Your comment in the README:

A more thorough SQL injection security review

Had given me the impression that there was preventative measures already in place to prevent injection. Thankfully I reviewed the code before deploying, and saw that the only thing sanitized is the search string. Some people, even without reading the above comment, might not think to check for injection because they're used to working with ORMs, and might make assumptions about node-datatable having similar features.

Might be overkill, but might also not hurt to have a disclaimer in the API section saying

When using user-provided values as data for any part of the query, be sure to sanitize it first

brynnbp avatar Jun 21 '16 22:06 brynnbp

@brynnbp can you make a PR that updates the README or API as proposed?

bean5 avatar Jul 24 '24 11:07 bean5