Avoid SQL injections

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Avoid SQL injections

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: javascript-node-security/variable-sql-statement-injection

Language: JavaScript

Severity: Warning

Category: Security

CWE: 89

Description

Check for variable declarations in a SQL statement where there is potential for SQL injections.

Non-Compliant Code Examples

var table = 'baz';

const foo = "SELECT foo FROM " + table;
const select = `SELECT foo FROM ${table}`;
var del = `DELETE FROM ${table} WHERE condition;`;
let update = ' UPDATE ' +
             table +
             "SET column1 = value1, column2 = value2" +
             "WHERE condition;";

// Not safe: template strings with value
let update = ` UPDATE ` +
             'mytable' +
             `SET column1 = value1, column2 = ${value}` +
             "WHERE condition;";

Compliant Code Examples

// Safe: using parameterized queries
const query = "SELECT foo FROM users WHERE id = ?";
connection.query(query, [userId]);

// Safe: only strings
let update = ' UPDATE ' +
             'mytable' +
             "SET column1 = value1, column2 = value2" +
             "WHERE condition;";

// safe: template strings without value
let update = ` UPDATE ` +
             'mytable' +
             `SET column1 = value1, column2 = value2` +
             "WHERE condition;";

Avoid SQL injections

Metadata

Description

Non-Compliant Code Examples

Compliant Code Examples

How can I help you today?