I think in this instance they'd just get false as the array is never passed back but is compared to the password string, though, I see your point stands.
In this case prevalidation or filtering of user input is not a good idea, since you cannot know the wide range of quirks and exploits to guard against and you will make a mistake. It's better not having to worry about the effectiveness of an attack like that. There's a solution for that. Look into "parameterized" or "prepared" statements. Instead of baking user input right into your query string you use placeholders instead (pseudo code):
const statement = sql.prepare("SELECT user_password FROM users where username = :username")
...which are safely populated by calling a setter method on the prepared statement:
This is such a sweet spot for SQL injection!
If you would pass a name, such as:
hax0r"OR"1"="1
you would end up with the following query:That could become a big problem.
So I'd need some sort of validation?
I think in this instance they'd just get
false
as the array is never passed back but is compared to the password string, though, I see your point stands.In this case prevalidation or filtering of user input is not a good idea, since you cannot know the wide range of quirks and exploits to guard against and you will make a mistake. It's better not having to worry about the effectiveness of an attack like that. There's a solution for that. Look into "parameterized" or "prepared" statements. Instead of baking user input right into your query string you use placeholders instead (pseudo code):
...which are safely populated by calling a setter method on the prepared statement:
That's just pseudo code for presenting the idea. You need to look up how this is done with your library or framework
Thank you, I've started using sqlite3 which has prepared statements built in 😀
You were very helpful
github.com/ignis-pwa/permissions_h...
Thomas has summed it up quite nicely.
Maybe this exact query wouldn't leak your data. I really wanted to point out that these kind of queries are potentially dangerous. 😉👍