2

Can I use a function like this

CREATE FUNCTION create_user(_firstName text)
RETURNS void AS $$
  INSERT INTO user_account (first_name) VALUES (_firstName);
$$ LANGUAGE sql;

On the server to protect against SQL injection attacks? Then I can just run this on the client,

client.query(`SELECT create_user(${someUserInput})...`

Or will I still need to use parameterized queries with placeholders,

client.query(`SELECT create_user($1)`, [someUserInput])
Improve this question
2
  • @EvanCarroll -- Why move it to DBA? This isn't really a question about DB administration, architecture, or query optimization. Seems like a better fit on SO, no? Commented Feb 27, 2018 at 18:01
  • 1
    Fair point. That said, I think I'll keep the question here for now. Commented Feb 27, 2018 at 19:00

1 Answer 1

Reset to default
3

Problem (exploit)

client.query(`select create_user(${someUserInput})`

The problem there is what happens if 

let someUserInput = `'foo'); DROP DATABASE bar;`;

That will get sent to your call as,

client.query("select create_user('foo'); DROP DATABASE bar;")`

And, that would be bad. Yes, the argument to create_user is protected against injection, but the call to that isn't.

Solutions

  1. Use placeholders (obvious choice: most failsafe and secure solution.)

  2. Ensure someUserInput is properly quoted

    1. Use the client-library to quote it with something like PQescapeLiteral
    2. Use a second run to the server to quote it with quote_literal (requires placeholders anyway). SELECT quote_literal($1);

I would not try to create the quoting-mechanism myself.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.