I am getting sql injection error while trying to run the below code in javascript. I am trying to see a way to update this using parameter or some place holders to bybass the injection error but I am not sure. The issue is that due to the fact that to create a secure web site, variable concatinated as ‘i’ below could be replaced with a parameter so that the site will not be vulnerable when selecting records from the database. I have seen fixes in php on this injection just like the one in the below article bit trying to see how to work around this in Javascript. In the below ‘i’ could be ‘name’. That is, Select name as overday_disolay from country, which takes the name that a user types in the form and replace the place holder ‘i’ with the ‘name’ given by user. Article below explains more but it is not a fix in javascript(I cannot use same fucntion used in the artile so I need a work around in Javascript). Injection error is thrown by the application.
https://www.acunetix.com/websitesecurity/sql-injection/
function getUnionDataSql()
{
var sql = "";
sql += " SELECT DISTINCT "+ i+ " AS overday_display FROM country UNION"
}
Advertisement
Answer
I was able to fix this. There are 2 options as allowed in the internal application. One is to use substring or use parameter inplace of the above variables. The other is to configure reserved words in the application.