My app server is in node.js and I'm storing records in SQL Server database running on Azure. I'm using the mssql library (link below). How do I parameterize the Insert statement to prevent against SQL injection attacks.
mssql -- https://www.npmjs.com/package/mssql
Here is my code:
const sql = require("mssql");
var dbConfig = {
server: azureSqlDbServerUrl, // Use your SQL server name
database: azureSqlDbName, // Database to connect to
user: azureSqlDbUsername, // Use your username
password: azureSqlDbPassword, // Use your password
port: 1433,
// Since we're on Windows Azure, we need to set the following options
options: {
encrypt: true,
enableArithAbort: false
}
};
// myQuery holds:
// INSERT INTO productsTable Id, Name, Url, Info) VALUES (123456, 'Name of product', 'https://www.example.com/product/123456', '{''test'':''here'',''nested'':{''itest'':''ivalue'',''itest2'':100}}' )
sql.connect(dbConfig)
.then(pool => {
return pool.request()
.query( myQuery );
}).then(result => {
callback(0, result);
}).catch(err => { // ... error checks
console.log("Error occured: " + err);
callback(err, null);
});
I've looked through the documentation on mssql and it doesn't really go into parameterizing the insert query. Other SQL Server docs have not been particularly help either.
