Login/Register
Does pg (node-postgres) automatically sanitize data
Asked Answered
Solved node.jspgnode-postgres
W

3

23

I am using node-postgres for a production application and I am wondering if there is anything I should be concerned about? Is the data sanitized automatically by node-postgres?

I couldn't find anything about it on the github page: https://github.com/brianc/node-postgres

Weakwilled answered 4/1, 2017 at 3:2 Comment(0)
T
7

It depends on how you execute your queries:

Formatting via Prepared Statements is executed by the server, which in turn sanitizes your query from any SQL injection. But it has other restrictions, like you cannot execute more than one query at a time, and you cannot provide sanitizied entity names when needed.

Client-side query formatting, like the one implemented by pg-promise, sanitizes values, plus offers flexibility in formatting entity names and multiple queries.

Tedtedd answered 4/1, 2017 at 10:27 Comment(4)
Stupid question - can a formatted string query be considered a prepared statement if passed to .query? where are docs on this?Consol
or would it have to be this syntax? var queryText = 'INSERT INTO users(password_hash, email) VALUES($1, $2) RETURNING id' client.query(queryText, ['841l14yah', '[email protected]'Consol
got that here github.com/brianc/node-postgres/wiki/FAQConsol
@VincentBuscarello A query is executed as Prepared Statement when it is passed into query method as {name, text, values}.Tedtedd
R
35

Absolutely! The parameterized query support in node-postgres is first class. All escaping is done by the postgresql server ensuring proper behavior across dialects, encodings, etc... For example, this will not inject sql:

client.query("INSERT INTO user(name) VALUES($1)", ["'; DROP TABLE user;"], function (err, result) {
  // ...
});

This is from their documentation.

Raving answered 4/1, 2017 at 3:49 Comment(0)
A
21

It basically depends on how you execute your queries as @vitaly-t described

Suppose you will define query in a string and execute as follows:

var query = `SELECT * FROM table where username='${username}' and password='${password}`;
        
pool.query(query, (error, results) => {
});

This case if i would pass username=' 'or 1=1; -- and password=' 'or 1=1; --

Then it will return all records from the table (means SQL injection works)

But if I would execute the following query

pool.query('SELECT * FROM table where username=$1 and password=$2', [username, password], (error, results) => {
});

Then SQL injection will never work because pg will sanitize the data.

So it's depends on how you execute the queries.

Afoot answered 25/2, 2019 at 9:30 Comment(1)
Shouldn't that be query = "SELECT * FROM table where username='${username}' and password='${password}'" ? PS: could not add the `Homogamy
T
7

It depends on how you execute your queries:

Formatting via Prepared Statements is executed by the server, which in turn sanitizes your query from any SQL injection. But it has other restrictions, like you cannot execute more than one query at a time, and you cannot provide sanitizied entity names when needed.

Client-side query formatting, like the one implemented by pg-promise, sanitizes values, plus offers flexibility in formatting entity names and multiple queries.

Tedtedd answered 4/1, 2017 at 10:27 Comment(4)
Stupid question - can a formatted string query be considered a prepared statement if passed to .query? where are docs on this?Consol
or would it have to be this syntax? var queryText = 'INSERT INTO users(password_hash, email) VALUES($1, $2) RETURNING id' client.query(queryText, ['841l14yah', '[email protected]'Consol
got that here github.com/brianc/node-postgres/wiki/FAQConsol
@VincentBuscarello A query is executed as Prepared Statement when it is passed into query method as {name, text, values}.Tedtedd

© 2022 - 2024 — McMap. All rights reserved.