You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 9, 2021. It is now read-only.
constunsafeString="' AND '1' = '1"console.log(squel.select().from('some_table').where('id = ?',unsafeString).toString())// output: SELECT * FROM some_table WHERE (id = '' AND '1' = '1')
Problem
for example:
constsquel=require('squel')constlines='ABC\nDEF\'IJK'constjson=JSON.stringify({lines: lines})console.log(squel.select().from('some_table').where('lines = ? OR json = ?',lines,json).toString())
expect:
SELECT*FROM some_table WHERE (lines ='ABC\nDEF\'IJK'OR json ='{\"lines\":\"ABC\\nDEF\'IJK\"}')
actual:
SELECT*FROM some_table WHERE (lines ='ABCDEF'IJK' OR json = '{"lines":"ABC\nDEF'IJK"}')
The text was updated successfully, but these errors were encountered:
yibn2008
changed the title
MySQL string escape is incorrect
MySQL string escape is incorrect, especially when string contains \n
Sep 20, 2018
yibn2008
changed the title
MySQL string escape is incorrect, especially when string contains \n
string escape is incorrect, especially when string contains \n or '
Sep 20, 2018
yibn2008
changed the title
string escape is incorrect, especially when string contains \n or '
string escape is incorrect, especially when string contains \n or ', which may cause SQL injection
Sep 20, 2018
IMPORTANT: This issue may cause SQL injection:
Problem
for example:
expect:
actual:
Workaround
Use
sqlstring
will escape string value correctly:The text was updated successfully, but these errors were encountered: