show how to use mysql.escape in the sql-injection qhelp

erik-krogh · erik-krogh · commit 98820780af90 · 2023-05-31T18:04:34.000+02:00
diff --git a/javascript/ql/src/Security/CWE-089/SqlInjection.inc.qhelp b/javascript/ql/src/Security/CWE-089/SqlInjection.inc.qhelp
@@ -55,6 +55,12 @@ immune to injection attacks.
 </p>
 
 <sample src="examples/SqlInjectionFix.js" />
+
+<p>
+Alternatively, we can use a library like <code>sqlstring</code> to
+escape the user input before embedding it into the query string:
+</p>
+<sample src="examples/SqlInjectionFix2.js" />
 </example>
 
 <example>
diff --git a/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js b/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js
@@ -0,0 +1,15 @@
+const app = require("express")(),
+      pg = require("pg"),
+      SqlString = require('sqlstring'),
+      pool = new pg.Pool(config);
+
+app.get("search", function handler(req, res) {
+  // GOOD: the category is escaped using mysql.escape
+  var query1 =
+    "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" +
+    SqlString.escape(req.params.category) +
+    "' ORDER BY PRICE";
+  pool.query(query1, [], function(err, results) {
+    // process results
+  });
+});
