1.1.0 • Published 5 years ago
@capriza/safe-sql v1.1.0
safe-sql
Protect your code from accidental SQL injection vulnerabilities by using the SQL
template tag on raw SQL queries with Sequelize.
Provides the best protection against accidental SQL injection when combined with the use of https://github.com/capriza/eslint-plugin-safe-sql.
Installation
$ npm install @capriza/safe-sql
Usage
// the wrong way - potential vulnerability
sequelize.query(`SELECT * FROM users WHERE name = ${req.query.username}`);
// the right way - using bind
sequelize.query(`SELECT * FROM users WHERE name = $1`, {bind: [req.query.username]});
// the best way - using safe-sql
const SQL = require("safe-sql");
sequelize.query(SQL`SELECT * FROM users WHERE name = ${req.query.username}`);
concat
The concat
method enables building a single SQL query from a concatenation of several sql query parts
let query = SQL`SELECT * FROM users WHERE name = ${req.query.username}`;
if (req.query.location) {
query.concat(SQL` AND location = ${req.query.location}`);
}
query.concat(SQL` LIMIT ${req.query.limit}`);
sequelize.query(query);
// -> SELECT * FROM users WHERE name = $1 AND location = $2 LIMIT $3`