0
await query(`INSERT INTO feedback.app_v2 SET ?`, feedback)

I wrote this line to code into my JS project to insert data in the concerning table.

I want to ask if this MySql syntax is safe from Sql Injection? Here feedback is an object whose keys matches the app_v2 table columns.

Talal Anwer
  • 3
  • 2
  • yes it is safe see https://stackoverflow.com/questions/15778572/preventing-sql-injection-in-node-js – nbk Feb 24 '22 at 23:24

1 Answers1

0

That's not valid MySQL syntax.

This is valid MySQL syntax:

INSERT INTO feedback.app_v2 SET mycolumn = ?

Yes, it is safe from SQL injection, because the dynamic value is restricted to a query parameter. This is not combined with the query until after the query has been parsed, so there is no way the parameter can introduce unintended syntax.

If the NPM package can do string substitution to put the key = 'value' syntax into the query string, that's not a true query parameter. The assignment must be part of the query before it is parsed, but proper query parameters are not combined with the query until after it is parsed.

So you're depending on the code in the NPM package to do the string substitution without any bugs that result in SQL injection vulnerability.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • I think I didn't provide sufficient information, But that was a valid syntax for mysql npm package. it automatically convert objects keys to key = 'value' syntax before executing the query. – Talal Anwer Feb 24 '22 at 23:13