在 Oracle-db (Nodejs) 中删除字符串连接的方法

Question

Is there a way to prevent string concat in the sql query that might cause sql injection?

The searchParameter and searchString are optional parameters that came from get request. These should add to where clause that will filter the results depending on user input.

Both searchParameter and searchString must not be null in order to complete the statement.

Thank you.

async getDetails(searchParameter, searchString, skip = 0, limit = 25, transactionSeq) {

    let filterQuery = "";
    if(searchParameter && searchString)
    {
      filterQuery = "AND " + searchParameter + "=" + "'" + searchString + "'";
    }

    const sql = `
      select * from (
      select /*+first_rows(${limit})*/
      a.record_sequence,
      ROW_NUMBER() OVER (ORDER BY a.record_sequence) RN
      from TABLE_NAME a
      WHERE TRANSACTION_SEQUENCE = :t
      ) where RN between :n AND :m ${filterQuery}
      ORDER BY RN 
    `;
    const bindVars = {
      t: transactionSeq,
      n: skip + 1,
      m: skip + limit
    };
    const resultAsync = this._database.simpleExecute(sql, bindVars);

Answer 1

You should allow-list any statement text that you using in string concatenation. I presume searchParameter matches a column name so check that the value is a column that exists in the table. Throw an error if it is not known. See Binding Column and Table Names in Queries .

Then use a bind variable for user data searchString . You can add this to bindVars .

Also you might like to use the newer limit syntax :

const myoffset = 0;       // do not skip any rows (start at row 1)
const mymaxnumrows = 20;  // get 20 rows

const result = await connection.execute(
  `SELECT last_name
   FROM employees
   ORDER BY last_name
   OFFSET :offset ROWS FETCH NEXT :maxnumrows ROWS ONLY`,
  {offset: myoffset, maxnumrows: mymaxnumrows});