How to handle SQL injection in mssql node module

In Expressjs project, I am using https://www.npmjs.com/package/mssql to connect to Microsoft SQL Server and trying to execute a stored procedure. According the to documentation of mssql (https://www.npmjs.com/package/mssql#sql-injection) will handle all the SQL injection what I think its not happening.

Can someone help me how to handle SQL injection in this node module?

var sql = require('mssql');
var dbConfig = {};
var Connection = new sql.Connection(dbConfig);
Connection.connect().then(function(_connection){
    var request = new sql.Request(_connection);
    request.verbose = true;
    request.input('username', 'patriksimek');
    request.input('password', 'delete from dbo.Users where userId =1');
    request.input('attempts', 2);
    request.execute('my_stored_procedure');
})

You are using a stored procedure which cannot be sql injected.

You don't need to do anything.

SQL injection is the technique to hack by pass some SQL statement to the server.

eg, for code

'SELECT * FROM user WHERE username = ' + username

if I pass username = 'xxx; DELETE FROM user;' username = 'xxx; DELETE FROM user;' , then all records in users table will be gone

To protect from SQL injection

  • use query parametrization
  • use stored procedures (that you are using now)
  • 链接地址: http://www.djcxy.com/p/93832.html

    上一篇: es6模板文字是否可以防止sql注入?

    下一篇: 如何在mssql节点模块中处理SQL注入