node-mssql SQL injection warning when executing stored procedure with UPDATE statement

Asked Oct 20 '20 at 16:21

Active Oct 22 '20 at 10:38

Viewed 531 times

I tried to execute a stored procedure in node-mssql that performs a SQL update:

Javascript code :

const request = new sql.Request();
request.input('name', sql.NVarChar, req.body.name);
request.input('id',  sql.BigInt, req.body.id);
await sql.connect(config);
await request.execute('Update_Name');

But the above code returns a SQL injection error:

{
    "code": "EINJECT",
    "name": "RequestError"
}

I can't find any reference in the docs on how to negate SQL injections when working with stored procedures?

I'm guessing my input values are the problem? I can't see from the documentation what extra steps I need to take? Or the recommend approach?

Any help would be much appreciated.

edited Oct 22 '20 at 10:38

asked Oct 20 '20 at 16:21

GregD

1

FYI, the `sp_` prefix is **reserved** by Microsoft and means **S**pecial **P**rocedure. It should not be used for User Procedures. [Is the sp_ prefix still a no-no?](https://sqlperformance.com/2012/10/t-sql-queries/sp_prefix) – Thom A Oct 20 '20 at 16:23
Sorry that was only for the example, I will remove – GregD Oct 20 '20 at 16:27
Does it improve if you use a length specifier? e.g.: `request.input('name', sql.NVarChar(50), req.body.name);` ref: [Data Types](https://github.com/tediousjs/node-mssql#data-types) – AlwaysLearning Oct 21 '20 at 00:06
@AlwaysLearning I tried specifying the length but still I get the SQL injection error. Thank you for your suggestion, I appreciate you taking the time to ask. – GregD Oct 21 '20 at 07:20

node-mssql SQL injection warning when executing stored procedure with UPDATE statement

0 Answers0