这个参数化查询如何防止 SQL 注入？

Question

I know that parametrized queries are used to prevent SQL injection, but how can this prevent an SQL injection? Can't someone just set their id equal to ; DROP TABLE * -- ; DROP TABLE * -- and just insert that into the parametrized query anyway?

let updateQueryData = `UPDATE table SET lookups = $1 WHERE id = $2`;
        let updateQueryValues = [numLookups, data.rows[0].id];
        pool.query(updateQueryData, updateQueryValues, err => {

Answer 1

No. The data is not simply inserted into the text representation of the query. It is sent separately.

To prevent injection, the data must be separate from the command, so that there is no ambiguity between the data and the command. This is exactly what a parameterized query does.

(Note: There are some libraries that do still send the query with the data all-in-one, but all the data is automatically "escaped" so that it is still safe for use.)

Also, I would highly recommend removing those backticks and replacing with regular quotes so you don't accidentally concatenate data into that query in the future.

Answer 2

UPDATE table SET lookups = $1 WHERE id = $2

Your query is parameterized already.

Here is what would happen if someone passes a malicious value like '; DROP TABLE * --' '; DROP TABLE * --' :

• if the corresponding column is of string datatype, then the query becomes something like:

UPDATE table SET lookups = '; DROP TABLE * --' WHERE id = 1

• if the column is numeric, you will get a runtime error because '; DROP TABLE * --' '; DROP TABLE * --' is not a number