serverless-mysql icon indicating copy to clipboard operation
serverless-mysql copied to clipboard

Published 20 hours ago verified publisher icon jeremydaly

SQL Injection/Sanitization

Open gente21 opened this issue 5 years ago • 2 comments

I'm assuming that by doing the queries with the question marks:

const sql = "UPDATE clients SET series_daily = 0, series_daily_date = ? WHERE uid = ?"; await utils.mysql.query({ sql, timeout: 10000, values: [todayDate, req.clientUid] }); await utils.mysql.end();

serverless-mysql will sanitize the inputs, but I would rather not assume and it's better to ask: does it sanitize the inputs?

Thanks!

gente21 avatar Sep 19 '20 13:09 gente21

actually serverless-mysql uses mysql by doug wilson underneath it all, https://github.com/mysqljs/mysql. This is where you will get your answer about sanitization.

stephanelpaul avatar Oct 10 '20 22:10 stephanelpaul

For anyone wondering, the answer to @gente21's question is that the inputs are sanitized just as one would expect.

It is also well worth looking at the documentation link that @StephaneP recommended. Reading through that page before writing queries will save a great deal of frustration.

MarkOnDuty avatar Oct 20 '20 16:10 MarkOnDuty