How to handle SQL injection in mssql node module
In Expressjs project, I am using https://www.npmjs.com/package/mssql to connect to Microsoft SQL Server and trying to execute a stored procedure. According the to documentation of mssql
(https://www.npmjs.com/package/mssql#sql-injection) will handle all the SQL injection what I think its not happening.
Can someone help me how to handle SQL injection in this node module?
var sql = require('mssql');
var dbConfig = {};
var Connection = new sql.Connection(dbConfig);
Connection.connect().then(function(_connection){
var request = new sql.Request(_connection);
request.verbose = true;
request.input('username', 'patriksimek');
request.input('password', 'delete from dbo.Users where userId =1');
request.input('attempts', 2);
request.execute('my_stored_procedure');
})
You are using a stored procedure which cannot be sql injected.
You don't need to do anything.
SQL injection is the technique to hack by pass some SQL statement to the server.
eg, for code
'SELECT * FROM user WHERE username = ' + username
if I pass username = 'xxx; DELETE FROM user;'
username = 'xxx; DELETE FROM user;'
, then all records in users table will be gone
To protect from SQL injection
上一篇: es6模板文字是否可以防止sql注入?
下一篇: 如何在mssql节点模块中处理SQL注入