Avoid SQL injections

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: javascript-node-security/variable-sql-statement-injection

Language: JavaScript

Severity: Warning

Category: Security

CWE: 89

Description

Check for variable declarations in a SQL statement where there is potential for SQL injections.

Non-Compliant Code Examples

var table = 'baz';

const foo = "SELECT foo FROM " + table;
const select = `SELECT foo FROM ${table}`;
var del = `DELETE FROM ${table} WHERE condition;`;
let update = ' UPDATE ' +
             table +
             "SET column1 = value1, column2 = value2" +
             "WHERE condition;";

// Not safe: template strings with value
let update = ` UPDATE ` +
             'mytable' +
             `SET column1 = value1, column2 = ${value}` +
             "WHERE condition;";

Compliant Code Examples

// Safe: using parameterized queries
const query = "SELECT foo FROM users WHERE id = ?";
connection.query(query, [userId]);

// Safe: only strings
let update = ' UPDATE ' +
             'mytable' +
             "SET column1 = value1, column2 = value2" +
             "WHERE condition;";

// safe: template strings without value
let update = ` UPDATE ` +
             'mytable' +
             `SET column1 = value1, column2 = value2` +
             "WHERE condition;";
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains