Security ( XSS / sql Injection )

54 views
Skip to first unread message

jairo malanay

unread,
Aug 25, 2014, 5:47:15 AM8/25/14
to node-...@googlegroups.com
Hi,

Im a new in node-mysql, we just transfer from mongo to mysql,

Q: how to prevent the xss/sql injection ?

i have read about the connection.escape/escapeId

i try this
var post  = {id: 1, title: 'Hello MySQL'};
var query = connection.query('INSERT INTO posts SET ?', post, function(err, result) {
  // Neat!
});
then i try this one,
var post = {
    id:2, title: '<script>alert("1");</script>'
};
but it doesn escape/strip tags at all.
any help/suggestion/comments will be appreciated :)
Thank you.
Sorry for my grammar.

Felix Geisendörfer

unread,
Aug 25, 2014, 5:48:32 AM8/25/14
to node-...@googlegroups.com
You’re confusing XSS and SQL injections. SQL escaping only prevents SQL injections. XSS is application specific (not all apps serve HTML), so you need to escape for XSS yourself.

Cheers,
Felix
> --
> You received this message because you are subscribed to the Google Groups "node-mysql" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to node-mysql+...@googlegroups.com.
> To post to this group, send email to node-...@googlegroups.com.
> Visit this group at http://groups.google.com/group/node-mysql.
> For more options, visit https://groups.google.com/d/optout.

jairo malanay

unread,
Aug 28, 2014, 5:09:03 AM8/28/14
to node-...@googlegroups.com, fe...@debuggable.com
Thanks for the response felix
ill look for node modules to sanitize inputs


Thank you again.
Reply all
Reply to author
Forward
0 new messages