Is it effective to prevent SQL injection by doubling a single quote using Postgres 11?

Asked Nov 27 '19 at 13:02

Active Nov 27 '19 at 13:37

Viewed 45 times

Is it fully effective when using Postgres 11 in Node.js backend? I've tested the code with a lot of cheatsheets and everything was fine.

PostgreSQL Query:

INSERT INTO test(a, b) VALUES ('${Utils.esc(a)}', '${Utils.esc(b)}')

Code to prevent SQL Injection:

esc: (str) => {
    return str.toString().replace(/(['])/g, "'$1");
},

Preliminary tests didn't show me any susceptibility, but maybe one of you knows more.

edited Nov 27 '19 at 13:37

asked Nov 27 '19 at 13:02

blaxckv

8

No. It is not sufficient. Use parameters. – Gordon Linoff Nov 27 '19 at 13:02
@GordonLinoff I've tested the code with a lot of cheatsheets and everything was fine. Why? – blaxckv Nov 27 '19 at 13:09
5

. . You'd better learn quickly that *your* testing does not define security on a system. – Gordon Linoff Nov 27 '19 at 13:23
@GordonLinoff I have just been instructed to show that it is as you say it is. I'd rather use the parameters. – blaxckv Nov 27 '19 at 13:30

0 Answers0