TechQA.

How to safely call a variadic function from nodejs

97 views Asked by At

Using postgres and node-pg.

CALL schema.function(${sql})

function is a variadic function accepting an array. It is open to SQL injection. How can the injection case be resolved?

My stored procedure uses a custom type:

CREATE TYPE isf.event_array AS 
(
    "id"   BIGINT,
    "topic"         CHARACTER VARYING(255),
    "type"    TEXT,
    "setId"   BIGINT,
    "eventId"       CHARACTER (36),
    "eventType"     CHARACTER VARYING(50),
    "metadata"      JSONB,
    "payload"       JSONB
);
END IF;

I understand the use of parametrised queries, however in this instance it needs to be passed an array.

Many thanks

javascript node.js postgresql node-postgres node-pg-pool
Original Q&A
1

There are 1 answers

0
Bergi On BEST ANSWER

As always when dealing with passing dynamic values, use a parameterised query:

await client.query('CALL schema.function($1::json);', [JSON.stringify(arr)]);

Related Questions in JAVASCRIPT

Related Questions in NODE.JS

Related Questions in POSTGRESQL

Related Questions in NODE-POSTGRES

Related Questions in NODE-PG-POOL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions