Skip to content

Warning: Security Issues with Query-Type-Escaping and Express #501

New issue
New issue
Closed
#502
Closed
Warning: Security Issues with Query-Type-Escaping and Express#501
#502
@denisu

Description

@denisu
denisu
opened on May 27, 2013

Hi,

if you are using Express and the Express query parser, you might be doing something like GET /users?id=xxx

And in your app:

db.query('SELECT * FROM users WHERE id = ?', [req.query.id])

I have seen this several times now, this is very dangerous! The Express query parser is translating arrays and objects, which node-mysql loves to translate as well.

So, an attacker could do GET /users?id[id]=1 which Express translates to {"id":"1"} which ends up as

SELECT * FROM users WHERE id = id = '1'

I understand that this might not be an issue with node-mysql, but it would be great to have an option to turn off the automatic type translation in node-mysql, maybe even by default, since most people are not expecting the escaper to behave like that.

Activity

tellnes
added a commit that references this issue on May 28, 2013

add `stringifyObjects` option

dd921c3
tellnes
mentioned this on May 28, 2013
felixge
closed this as completedin #502on May 29, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @denisu

      Issue actions
        Warning: Security Issues with Query-Type-Escaping and Express · Issue #501 · mysqljs/mysql