ORM
  • Introduction
  • Basics of Usage
    • Connecting to the Database
    • Creating a Model
    • Simple Queries
  • Configuration
  • Core Features
    • Models
    • CRUD Operations (Create, Read, Update, Delete): examples
    • Relationships
    • Transactions
  • Advanced Usage
    • Data Definition Language
    • Indexes
    • Triggers
    • Caching
  • Examples and templates
  • Security
    • Query parameterization and protection against SQL injections
    • Logging
    • Monitoring
    • Sanitization
  • ORM-CLI
    • Installing
    • Commands and usage
  • System architecture and implementation
    • Support of various databases
      • Implementation using a pattern strategy
      • Implementation using generics
      • Implementation using metaprogramming
    • Decorators
    • Migrations
      • Assignment of id in Tables and Columns
      • Assigning IDs to indexes and triggers
      • Working with migrations in ORM-CLI
        • Implementation of a pattern command for migration
    • QueryBuilder
    • Caching
    • File structure
  • API
    • Decorators
      • Column
      • ComputedColumn
      • Index
      • ForeignKey
      • PrimaryGeneratedColumn
      • Relations
      • Table
      • Trigger
      • Types decorators
        • Integer
        • Numeric
        • Float
        • Boolean
        • String
    • DDL
    • QueryBuilder
    • Additional API
Powered by GitBook
On this page
  1. Security

Query parameterization and protection against SQL injections

In this section, we will look at how to effectively use query parameterization in my ORM system to protect against SQL injections and ensure data security.

Query Parameterization

Query parameterization is critical for protecting against SQL injection. It allows passing values into queries as parameters instead of embedding them directly in the SQL query. This not only protects against unwanted modifications in queries but also improves code readability and maintainability.

Example of Query Parameterization

Here's how you can implement query parameterization in your ORM system:

const parametrizeQuery = await databaseManager.query(`
    INSERT INTO users (user_id, email, password, is_active)
    VALUES ($1, $2, $3, $4)
    RETURNING user_id;
`, [3, 'email@gmail.com', 'sedgdbdfb', true]);

In this example, the query to insert a new user into the users table uses parameters instead of directly embedding values into the SQL query. Parameter values are provided as an array [3, 'email@gmail.com', 'sedgdbdfb', true], which replaces the corresponding placeholders $1, $2, $3, and $4 in the query.

How This Protects Against SQL Injection

  • Prevention of Unwanted Data Insertion: Instead of including data directly in the SQL query, parameterization allows passing them separately. This means that parameter values are processed as data, not as part of the SQL code, making it impossible to use them to execute unwanted SQL commands.

  • Query Cleanliness: Parameterization reduces the risk of errors related to incorrect SQL query formatting. It ensures a cleaner and more understandable code that is easier to maintain and check for vulnerabilities.

  • Automatic Data Escaping: Many modern databases and ORM systems automatically escape data passed through parameterization, providing an additional layer of protection.

Automatic Parameterization in QueryBuilder

In my ORM system, the QueryBuilder automatically parameterizes queries, providing an extra level of security. For example, consider the following query:

const exampleOfInsertQueryWithParametrize = databaseManager.queryBuilder()
    .insert({
        task_id: 1,
        title: 'Нове завдання',
        description: 'Опис нового завдання',
        is_completed: false,
        due_date: '2024-08-31',
        price: 1480
    }, 'tasks')
    .build();

This code forms an SQL query that, when outputted, will look like this:

INSERT INTO tasks (task_id, title, description, is_completed, due_date, price)
VALUES ($1, $2, $3, $4, $5, $6);

Thanks to automatic parameterization, QueryBuilder ensures that all transferred data will be protected from potential SQL injections, making queries safe and efficient. Query parameterization is a key SQL injection protection mechanism that ensures code security, reliability, and maintainability. Automatic parameterization implemented in my ORM system through QueryBuilder significantly reduces the risks associated with executing malicious SQL queries. Thanks to this approach, developers can focus on the logic of the application without worrying about vulnerabilities related to SQL injections.

PreviousExamples and templatesNextLogging

Last updated 9 months ago