Do es6 templating templates protect against SQL injection?

Question

Do es6 templating templates protect against SQL injection?

Should I use es6 templating templates when using queries to protect against SQL injection? Can you provide some examples of common attacks and how will they be mitigated?

Specifically, I am planning on using mssql in a node project. In its documentation, the section on template literals says, "All values are automatically sanitized against SQL injection." Is this true solely because of the way ES6 template literals work?

+3

javascript sql node.js ecmascript-6

drew 20 May '17 at 14:00

source to share

1 answer

le_m · Accepted Answer · 2017-05-20T14:21:16+0000

No, ES6 template literals are another way to create strings and don't protect you from SQL injection if you've used them to create raw SQL queries from user-supplied input without additional filtering / escaping:

let name = "Robert'; DROP TABLE Students;--"; // user supplied input

let sql = `SELECT * FROM Students WHERE name = '${name}'`; // build query...

console.log(sql); // Injected SQL!

Run code

Do es6 templating templates protect against SQL injection?

More articles: