Defending against SQL injection?

[cmundi]

I'm looking for some guidance on preventing SQL injection attacks, specifically with node-sqlite3.

For example, will using

Database#prepare(sql, [param, ...], [callback])

protect against SQL injection?

Thanks.

[kkaefer]

SQLite protects you against SQL injections if you specify user-supplied data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as input data and it does not interfere with parsing the actual SQL statement.

[cmundi]

Thanks. I hoped so. I did not want to assume that "prepare" in
node-sqlite3 means thevsamw thing as sqlite3_prepare in the sqlite libs. I
should stop being lazy and just look at the source. :) Thanks!
On Jan 21, 2012 3:08 AM, "Konstantin Kfer" <
reply@reply.github.com>
wrote:

SQLite protects you against SQL injections if you specify user-supplied
data as part of the params rather than stringing together an SQL query:

BAD: db.prepare("INSERT INTO foo VALUES(" + variable + ")");

GOOD: `db.prepare("INSERT INTO foo VALUES (?)", variable);

By using the placeholder ?, SQLite automatically treats the data as
input data and it does not interfere with parsing the actual SQL statement.

---

Reply to this email directly or view it on GitHub:

#57 (comment)