Do es6 templating templates protect against SQL injection?
Should I use es6 templating templates when using queries to protect against SQL injection? Can you provide some examples of common attacks and how will they be mitigated?
Specifically, I am planning on using mssql in a node project. In its documentation, the section on template literals says, "All values ββare automatically sanitized against SQL injection." Is this true solely because of the way ES6 template literals work?
+3
source to share
1 answer
No, ES6 template literals are another way to create strings and don't protect you from SQL injection if you've used them to create raw SQL queries from user-supplied input without additional filtering / escaping:
let name = "Robert'; DROP TABLE Students;--"; // user supplied input
let sql = `SELECT * FROM Students WHERE name = '${name}'`; // build query...
console.log(sql); // Injected SQL!
+6
source to share