Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The sqlstring npm package is a utility for safely constructing SQL queries by escaping and formatting SQL strings. It helps prevent SQL injection attacks by ensuring that user input is properly escaped before being included in SQL queries.
Escaping Query Values
This feature allows you to safely escape values in SQL queries to prevent SQL injection. The `format` method replaces placeholders in the query with escaped values.
const sqlstring = require('sqlstring');
const userId = 'someUser';
const query = sqlstring.format('SELECT * FROM users WHERE id = ?', [userId]);
console.log(query); // Output: SELECT * FROM users WHERE id = 'someUser'
Escaping Identifiers
This feature allows you to escape SQL identifiers such as table or column names. The `escapeId` method ensures that the identifier is properly quoted.
const sqlstring = require('sqlstring');
const tableName = 'users';
const query = `SELECT * FROM ${sqlstring.escapeId(tableName)}`;
console.log(query); // Output: SELECT * FROM `users`
Escaping Strings
This feature allows you to escape strings to be safely included in SQL queries. The `escape` method adds necessary escape characters to the string.
const sqlstring = require('sqlstring');
const unsafeString = "O'Reilly";
const escapedString = sqlstring.escape(unsafeString);
console.log(escapedString); // Output: 'O\'Reilly'
Escaping and Formatting Objects
This feature allows you to escape and format objects for SQL queries. The `format` method can be used with objects to generate a properly escaped SQL query.
const sqlstring = require('sqlstring');
const user = { id: 1, name: 'John Doe' };
const query = sqlstring.format('INSERT INTO users SET ?', user);
console.log(query); // Output: INSERT INTO users SET `id` = 1, `name` = 'John Doe'
The mysql package is a popular MySQL client for Node.js that includes built-in methods for escaping query values and identifiers. It provides a more comprehensive solution for interacting with MySQL databases, including connection management and query execution.
The pg package is a PostgreSQL client for Node.js that also includes methods for escaping query values. It is designed specifically for PostgreSQL and provides a full-featured interface for interacting with PostgreSQL databases.
Knex.js is a SQL query builder for Node.js that supports multiple database systems, including MySQL, PostgreSQL, and SQLite. It provides a higher-level abstraction for building SQL queries and includes methods for safely escaping values and identifiers.
Simple SQL escape and format for MySQL
$ npm install sqlstring
var SqlString = require('sqlstring');
Caution These methods of escaping values only works when the NO_BACKSLASH_ESCAPES SQL mode is disabled (which is the default state for MySQL servers).
In order to avoid SQL Injection attacks, you should always escape any user
provided data before using it inside a SQL query. You can do so using the
SqlString.escape()
method:
var userId = 'some user provided value';
var sql = 'SELECT * FROM users WHERE id = ' + SqlString.escape(userId);
console.log(sql); // SELECT * FROM users WHERE id = 'some user provided value'
Alternatively, you can use ?
characters as placeholders for values you would
like to have escaped like this:
var userId = 1;
var sql = SqlString.format('SELECT * FROM users WHERE id = ?', [userId]);
console.log(sql); // SELECT * FROM users WHERE id = 1
Multiple placeholders are mapped to values in the same order as passed. For example,
in the following query foo
equals a
, bar
equals b
, baz
equals c
, and
id
will be userId
:
var userId = 1;
var sql = SqlString.format('UPDATE users SET foo = ?, bar = ?, baz = ? WHERE id = ?',
['a', 'b', 'c', userId]);
console.log(sql); // UPDATE users SET foo = 'a', bar = 'b', baz = 'c' WHERE id = 1
This looks similar to prepared statements in MySQL, however it really just uses
the same SqlString.escape()
method internally.
Caution This also differs from prepared statements in that all ?
are
replaced, even those contained in comments and strings.
Different value types are escaped differently, here is how:
true
/ false
'YYYY-mm-dd HH:ii:ss'
stringsX'0fa5'
['a', 'b']
turns into 'a', 'b'
[['a', 'b'], ['c', 'd']]
turns into ('a', 'b'), ('c', 'd')
toSqlString
method will have .toSqlString()
called
and the returned value is used as the raw SQL.key = 'val'
pairs for each enumerable property on
the object. If the property's value is a function, it is skipped; if the
property's value is an object, toString() is called on it and the returned
value is used.undefined
/ null
are converted to NULL
NaN
/ Infinity
are left as-is. MySQL does not support these, and trying
to insert them as values will trigger MySQL errors until they implement
support.You may have noticed that this escaping allows you to do neat things like this:
var post = {id: 1, title: 'Hello MySQL'};
var sql = SqlString.format('INSERT INTO posts SET ?', post);
console.log(sql); // INSERT INTO posts SET `id` = 1, `title` = 'Hello MySQL'
And the toSqlString
method allows you to form complex queries with functions:
var CURRENT_TIMESTAMP = { toSqlString: function() { return 'CURRENT_TIMESTAMP()'; } };
var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]);
console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42
To generate objects with a toSqlString
method, the SqlString.raw()
method can
be used. This creates an object that will be left un-touched when using in a ?
placeholder, useful for using functions as dynamic values:
Caution The string provided to SqlString.raw()
will skip all escaping
functions when used, so be careful when passing in unvalidated input.
var CURRENT_TIMESTAMP = SqlString.raw('CURRENT_TIMESTAMP()');
var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]);
console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id = 42
If you feel the need to escape queries by yourself, you can also use the escaping function directly:
var sql = 'SELECT * FROM posts WHERE title=' + SqlString.escape('Hello MySQL');
console.log(sql); // SELECT * FROM posts WHERE title='Hello MySQL'
If you can't trust an SQL identifier (database / table / column name) because it is
provided by a user, you should escape it with SqlString.escapeId(identifier)
like this:
var sorter = 'date';
var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter);
console.log(sql); // SELECT * FROM posts ORDER BY `date`
It also supports adding qualified identifiers. It will escape both parts.
var sorter = 'date';
var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId('posts.' + sorter);
console.log(sql); // SELECT * FROM posts ORDER BY `posts`.`date`
If you do not want to treat .
as qualified identifiers, you can set the second
argument to true
in order to keep the string as a literal identifier:
var sorter = 'date.2';
var sql = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter, true);
console.log(sql); // SELECT * FROM posts ORDER BY `date.2`
Alternatively, you can use ??
characters as placeholders for identifiers you would
like to have escaped like this:
var userId = 1;
var columns = ['username', 'email'];
var sql = SqlString.format('SELECT ?? FROM ?? WHERE id = ?', [columns, 'users', userId]);
console.log(sql); // SELECT `username`, `email` FROM `users` WHERE id = 1
Please note that this last character sequence is experimental and syntax might change
When you pass an Object to .escape()
or .format()
, .escapeId()
is used to avoid SQL injection in object keys.
You can use SqlString.format
to prepare a query with multiple insertion points,
utilizing the proper escaping for ids and values. A simple example of this follows:
var userId = 1;
var inserts = ['users', 'id', userId];
var sql = SqlString.format('SELECT * FROM ?? WHERE ?? = ?', inserts);
console.log(sql); // SELECT * FROM `users` WHERE `id` = 1
Following this you then have a valid, escaped query that you can then send to the database safely.
This is useful if you are looking to prepare the query before actually sending it to the database.
You also have the option (but are not required) to pass in stringifyObject
and timeZone
,
allowing you provide a custom means of turning objects into strings, as well as a
location-specific/timezone-aware Date
.
This can be further combined with the SqlString.raw()
helper to generate SQL
that includes MySQL functions as dynamic vales:
var userId = 1;
var data = { email: 'foobar@example.com', modified: SqlString.raw('NOW()') };
var sql = SqlString.format('UPDATE ?? SET ? WHERE `id` = ?', ['users', data, userId]);
console.log(sql); // UPDATE `users` SET `email` = 'foobar@example.com', `modified` = NOW() WHERE `id` = 1
FAQs
Simple SQL escape and format for MySQL
The npm package sqlstring receives a total of 3,420,678 weekly downloads. As such, sqlstring popularity was classified as popular.
We found that sqlstring demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.