NodeJS and MariaDB. Avoid queries for every column
I'm using NodeJS and MariaDB. I have a lot of tables where some Users can change a value via requests. I don't want to prepare queries for every column the user wants to update like:
module.exports.updateName = (name,id) =>
return pool.query("UPDATE Users SET name=? WHERE user_id=?;", [name,id])
module.exports.updateAge = (name,id) =>
return pool.query("UPDATE Users SET age=? WHERE user_id=?;", [age,id])
I want to build s.th. like a template which expects the table, columns and values.
In order to prevent SQL Injection attacks I'm already using the ? placeholders for the values. Unfortunately MariaDB doesn't support placeholders for identifiers like ??.
I don't feel safe to just concat the table name or the columns to the query string like:
"SELECT INTO " + tablename +"(" + columns + ")" ...
My idea was to query at every sever start, which table and column names exist in my database and store them in a list. Then i could check whether the passed table and column strings are valid or not.
Does this idea makes sense or is a common way? How would handle that problem?
I'm thankful for every advice!
Greetings
mysql node.js mariadb sql-injection handle
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
add a comment |
I'm using NodeJS and MariaDB. I have a lot of tables where some Users can change a value via requests. I don't want to prepare queries for every column the user wants to update like:
module.exports.updateName = (name,id) =>
return pool.query("UPDATE Users SET name=? WHERE user_id=?;", [name,id])
module.exports.updateAge = (name,id) =>
return pool.query("UPDATE Users SET age=? WHERE user_id=?;", [age,id])
I want to build s.th. like a template which expects the table, columns and values.
In order to prevent SQL Injection attacks I'm already using the ? placeholders for the values. Unfortunately MariaDB doesn't support placeholders for identifiers like ??.
I don't feel safe to just concat the table name or the columns to the query string like:
"SELECT INTO " + tablename +"(" + columns + ")" ...
My idea was to query at every sever start, which table and column names exist in my database and store them in a list. Then i could check whether the passed table and column strings are valid or not.
Does this idea makes sense or is a common way? How would handle that problem?
I'm thankful for every advice!
Greetings
mysql node.js mariadb sql-injection handle
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
Construct the query with as many (or few) clauses the end-user needs. Do it in application code, not SQL.
– Rick James
Nov 15 '18 at 21:42
Can you give me an example?I don' get it what you mean
– mcAngular2
Nov 16 '18 at 8:11
add a comment |
I'm using NodeJS and MariaDB. I have a lot of tables where some Users can change a value via requests. I don't want to prepare queries for every column the user wants to update like:
module.exports.updateName = (name,id) =>
return pool.query("UPDATE Users SET name=? WHERE user_id=?;", [name,id])
module.exports.updateAge = (name,id) =>
return pool.query("UPDATE Users SET age=? WHERE user_id=?;", [age,id])
I want to build s.th. like a template which expects the table, columns and values.
In order to prevent SQL Injection attacks I'm already using the ? placeholders for the values. Unfortunately MariaDB doesn't support placeholders for identifiers like ??.
I don't feel safe to just concat the table name or the columns to the query string like:
"SELECT INTO " + tablename +"(" + columns + ")" ...
My idea was to query at every sever start, which table and column names exist in my database and store them in a list. Then i could check whether the passed table and column strings are valid or not.
Does this idea makes sense or is a common way? How would handle that problem?
I'm thankful for every advice!
Greetings
mysql node.js mariadb sql-injection handle
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
I'm using NodeJS and MariaDB. I have a lot of tables where some Users can change a value via requests. I don't want to prepare queries for every column the user wants to update like:
module.exports.updateName = (name,id) =>
return pool.query("UPDATE Users SET name=? WHERE user_id=?;", [name,id])
module.exports.updateAge = (name,id) =>
return pool.query("UPDATE Users SET age=? WHERE user_id=?;", [age,id])
I want to build s.th. like a template which expects the table, columns and values.
In order to prevent SQL Injection attacks I'm already using the ? placeholders for the values. Unfortunately MariaDB doesn't support placeholders for identifiers like ??.
I don't feel safe to just concat the table name or the columns to the query string like:
"SELECT INTO " + tablename +"(" + columns + ")" ...
My idea was to query at every sever start, which table and column names exist in my database and store them in a list. Then i could check whether the passed table and column strings are valid or not.
Does this idea makes sense or is a common way? How would handle that problem?
I'm thankful for every advice!
Greetings
mysql node.js mariadb sql-injection handle
mysql node.js mariadb sql-injection handle
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
edited Nov 15 '18 at 17:20
mcAngular2
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
asked Nov 15 '18 at 17:14
mcAngular2mcAngular2
1129
1129
Construct the query with as many (or few) clauses the end-user needs. Do it in application code, not SQL.
– Rick James
Nov 15 '18 at 21:42
Can you give me an example?I don' get it what you mean
– mcAngular2
Nov 16 '18 at 8:11
add a comment |
Construct the query with as many (or few) clauses the end-user needs. Do it in application code, not SQL.
– Rick James
Nov 15 '18 at 21:42
Can you give me an example?I don' get it what you mean
– mcAngular2
Nov 16 '18 at 8:11
Construct the query with as many (or few) clauses the end-user needs. Do it in application code, not SQL.
– Rick James
Nov 15 '18 at 21:42
Construct the query with as many (or few) clauses the end-user needs. Do it in application code, not SQL.
– Rick James
Nov 15 '18 at 21:42
Can you give me an example?I don' get it what you mean
– mcAngular2
Nov 16 '18 at 8:11
Can you give me an example?I don' get it what you mean
– mcAngular2
Nov 16 '18 at 8:11
add a comment |
1 Answer
1
active
oldest
votes
Well, what I'd do is to create a stored procedure with params, user, column, value and inside it would decide what update statement to use, like so:
create procedure updateValues (in uid int, in columnid int, in value int)...
begin
if columnid = 0 then
update users set name = value;
else if columnid = 1 then
update users set age = value;
end if
end
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
but what if the users let's say wants to update 4 columns with different values. I would have to call the procedure 4 times. That's not very efficient isn't it?
– mcAngular2
Nov 15 '18 at 17:57
Well, are you planning to call the SP several times in a row? Otherwise it might not be significant. On the other hand, you can maybe assemble the SQL string and filter for attacks, by removing SQL statements and symbols...honestly is as much effort as keeping a list of valid columns and probably not as safe. The getter/setter encapsulation approach is to separate values, but you can also group them by using optional params in the sp
– Sergio Flores
Nov 15 '18 at 18:09
Forget I just realized MySQL doesn't support optionals...ok, so another option is to have the sp list all possible arguments, in order, and check against the list
– Sergio Flores
Nov 15 '18 at 18:12
Also, calling an sp offers some protection agains sql injection, because you have to prepare it and pass the parameters in ?, so extra sql code would likely cause an error. Still, look for filtering libraries, there might be something useful
– Sergio Flores
Nov 15 '18 at 18:14
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53324698%2fnodejs-and-mariadb-avoid-queries-for-every-column%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Well, what I'd do is to create a stored procedure with params, user, column, value and inside it would decide what update statement to use, like so:
create procedure updateValues (in uid int, in columnid int, in value int)...
begin
if columnid = 0 then
update users set name = value;
else if columnid = 1 then
update users set age = value;
end if
end
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
but what if the users let's say wants to update 4 columns with different values. I would have to call the procedure 4 times. That's not very efficient isn't it?
– mcAngular2
Nov 15 '18 at 17:57
Well, are you planning to call the SP several times in a row? Otherwise it might not be significant. On the other hand, you can maybe assemble the SQL string and filter for attacks, by removing SQL statements and symbols...honestly is as much effort as keeping a list of valid columns and probably not as safe. The getter/setter encapsulation approach is to separate values, but you can also group them by using optional params in the sp
– Sergio Flores
Nov 15 '18 at 18:09
Forget I just realized MySQL doesn't support optionals...ok, so another option is to have the sp list all possible arguments, in order, and check against the list
– Sergio Flores
Nov 15 '18 at 18:12
Also, calling an sp offers some protection agains sql injection, because you have to prepare it and pass the parameters in ?, so extra sql code would likely cause an error. Still, look for filtering libraries, there might be something useful
– Sergio Flores
Nov 15 '18 at 18:14
add a comment |
Well, what I'd do is to create a stored procedure with params, user, column, value and inside it would decide what update statement to use, like so:
create procedure updateValues (in uid int, in columnid int, in value int)...
begin
if columnid = 0 then
update users set name = value;
else if columnid = 1 then
update users set age = value;
end if
end
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
but what if the users let's say wants to update 4 columns with different values. I would have to call the procedure 4 times. That's not very efficient isn't it?
– mcAngular2
Nov 15 '18 at 17:57
Well, are you planning to call the SP several times in a row? Otherwise it might not be significant. On the other hand, you can maybe assemble the SQL string and filter for attacks, by removing SQL statements and symbols...honestly is as much effort as keeping a list of valid columns and probably not as safe. The getter/setter encapsulation approach is to separate values, but you can also group them by using optional params in the sp
– Sergio Flores
Nov 15 '18 at 18:09
Forget I just realized MySQL doesn't support optionals...ok, so another option is to have the sp list all possible arguments, in order, and check against the list
– Sergio Flores
Nov 15 '18 at 18:12
Also, calling an sp offers some protection agains sql injection, because you have to prepare it and pass the parameters in ?, so extra sql code would likely cause an error. Still, look for filtering libraries, there might be something useful
– Sergio Flores
Nov 15 '18 at 18:14
add a comment |
Well, what I'd do is to create a stored procedure with params, user, column, value and inside it would decide what update statement to use, like so:
create procedure updateValues (in uid int, in columnid int, in value int)...
begin
if columnid = 0 then
update users set name = value;
else if columnid = 1 then
update users set age = value;
end if
end
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
Well, what I'd do is to create a stored procedure with params, user, column, value and inside it would decide what update statement to use, like so:
create procedure updateValues (in uid int, in columnid int, in value int)...
begin
if columnid = 0 then
update users set name = value;
else if columnid = 1 then
update users set age = value;
end if
end
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
answered Nov 15 '18 at 17:33
Sergio FloresSergio Flores
1126
1126
but what if the users let's say wants to update 4 columns with different values. I would have to call the procedure 4 times. That's not very efficient isn't it?
– mcAngular2
Nov 15 '18 at 17:57
Well, are you planning to call the SP several times in a row? Otherwise it might not be significant. On the other hand, you can maybe assemble the SQL string and filter for attacks, by removing SQL statements and symbols...honestly is as much effort as keeping a list of valid columns and probably not as safe. The getter/setter encapsulation approach is to separate values, but you can also group them by using optional params in the sp
– Sergio Flores
Nov 15 '18 at 18:09
Forget I just realized MySQL doesn't support optionals...ok, so another option is to have the sp list all possible arguments, in order, and check against the list
– Sergio Flores
Nov 15 '18 at 18:12
Also, calling an sp offers some protection agains sql injection, because you have to prepare it and pass the parameters in ?, so extra sql code would likely cause an error. Still, look for filtering libraries, there might be something useful
– Sergio Flores
Nov 15 '18 at 18:14
add a comment |
but what if the users let's say wants to update 4 columns with different values. I would have to call the procedure 4 times. That's not very efficient isn't it?
– mcAngular2
Nov 15 '18 at 17:57
Well, are you planning to call the SP several times in a row? Otherwise it might not be significant. On the other hand, you can maybe assemble the SQL string and filter for attacks, by removing SQL statements and symbols...honestly is as much effort as keeping a list of valid columns and probably not as safe. The getter/setter encapsulation approach is to separate values, but you can also group them by using optional params in the sp
– Sergio Flores
Nov 15 '18 at 18:09
Forget I just realized MySQL doesn't support optionals...ok, so another option is to have the sp list all possible arguments, in order, and check against the list
– Sergio Flores
Nov 15 '18 at 18:12
Also, calling an sp offers some protection agains sql injection, because you have to prepare it and pass the parameters in ?, so extra sql code would likely cause an error. Still, look for filtering libraries, there might be something useful
– Sergio Flores
Nov 15 '18 at 18:14
but what if the users let's say wants to update 4 columns with different values. I would have to call the procedure 4 times. That's not very efficient isn't it?
– mcAngular2
Nov 15 '18 at 17:57
but what if the users let's say wants to update 4 columns with different values. I would have to call the procedure 4 times. That's not very efficient isn't it?
– mcAngular2
Nov 15 '18 at 17:57
Well, are you planning to call the SP several times in a row? Otherwise it might not be significant. On the other hand, you can maybe assemble the SQL string and filter for attacks, by removing SQL statements and symbols...honestly is as much effort as keeping a list of valid columns and probably not as safe. The getter/setter encapsulation approach is to separate values, but you can also group them by using optional params in the sp
– Sergio Flores
Nov 15 '18 at 18:09
Well, are you planning to call the SP several times in a row? Otherwise it might not be significant. On the other hand, you can maybe assemble the SQL string and filter for attacks, by removing SQL statements and symbols...honestly is as much effort as keeping a list of valid columns and probably not as safe. The getter/setter encapsulation approach is to separate values, but you can also group them by using optional params in the sp
– Sergio Flores
Nov 15 '18 at 18:09
Forget I just realized MySQL doesn't support optionals...ok, so another option is to have the sp list all possible arguments, in order, and check against the list
– Sergio Flores
Nov 15 '18 at 18:12
Forget I just realized MySQL doesn't support optionals...ok, so another option is to have the sp list all possible arguments, in order, and check against the list
– Sergio Flores
Nov 15 '18 at 18:12
Also, calling an sp offers some protection agains sql injection, because you have to prepare it and pass the parameters in ?, so extra sql code would likely cause an error. Still, look for filtering libraries, there might be something useful
– Sergio Flores
Nov 15 '18 at 18:14
Also, calling an sp offers some protection agains sql injection, because you have to prepare it and pass the parameters in ?, so extra sql code would likely cause an error. Still, look for filtering libraries, there might be something useful
– Sergio Flores
Nov 15 '18 at 18:14
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53324698%2fnodejs-and-mariadb-avoid-queries-for-every-column%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Construct the query with as many (or few) clauses the end-user needs. Do it in application code, not SQL.
– Rick James
Nov 15 '18 at 21:42
Can you give me an example?I don' get it what you mean
– mcAngular2
Nov 16 '18 at 8:11