3

I'm using the orientjs library to perform operations in the Orient Database. I read in the documentation that it's possible to use parameter-style queries like the following:

db.query(
   'SELECT name, ba FROM Player '
   + 'WHERE ba >= :ba AND team = ":team"',
   {params: {
      ba: targetBA,
      team: targetTeam }
   }, limit: 20
).then(function(hitters){
   console.log(hitters)
});

My question is: Is it enough to prevent SQL injection? Because I didn't find information about that in the NodeJS API. In the case of Java, there is a 'Prepared Query' concept, I'm not sure if they are refering to the same thing.

iamdeit
  • 5,485
  • 4
  • 26
  • 40

1 Answers1

5

Seems to be secure, I'm trying with this code (yours taken from the wiki is a bit buggy):

var name='admin';

db.open().then(function() {
    return db.query(
        "SELECT * FROM OUser "
        + "WHERE name = :name",
        {params:{
            name: name
            }
        });
}).then(function(res){
    console.log(res);
    db.close().then(function(){
        console.log('closed');
    });
});

First of all, the query is parsed as SELECT * FROM OUser WHERE name = "admin" (observed with the Studio Query Profiler).

As expected, I get the admin user record.

Since the params are evaluated directly as String, there's non need quote them (e.g. :name not ':name'). So there is no way to inject something like ' OR '1'='1 or any ; drop something;

Here are some test I did:

  • var name='; create class p;';

    returns no records;

    evaluated by orient as: SELECT * FROM OUser WHERE name = "; create class p;"

  • var name="' OR '1'='1";

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "' OR '1'='1"

  • var name='" OR "1"="1';

    returns no records;

    evaluated as: SELECT * FROM OUser WHERE name = "\" OR \"1\"=\"1"

  • quoting the param name in the query: "WHERE name = ':name'"

    evaluated as: SELECT * FROM OUser WHERE name = ':name'

Feel free to try more combinations, in my opinion seems quite safe.

Ivan Mainetti
  • 1,982
  • 7
  • 13
  • 1
    Thank you very much. I think they should add a small section explaining that in their docs: http://orientdb.com/docs/last/OrientJS-Query.html – iamdeit Oct 06 '16 at 17:01