SQL injection in Node Mysql library - javascript

I was trying to do some sql injection in node mysql library.
I have an Insert query written in Nodejs using by doing:
pool.query(`Insert into orders(orderType,CustomerID,storeNumber,stageNumber) Values('${orderType}',${customerID},'${storeNumber}','${stageNumber}')`,function(err,rows,fields){
if(err){
console.log(err)
}
var orderID=rows.insertId
}
All of the varaibles comes form a form which I am receiving using req.body
In the stageNumber field in the form instead of the storeNumber I was writing:
'); Delete from orderDetail;
This did not delete anything from my table
From my console.log(err) i get
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'Delete from orderDetail;')'
I cannot think of a way to remove the ')' but I know where it is coming from. Is it even possible to do SQL injection in Node MySQL library?

Have you already tried
'); Delete from orderDetail; --
This will ignore any characters post -- and should ideally work in this case.

Related

Issue while mssql Node.js during parametrized query

I'm doing an INSERT on my backend with node.js using mssql, the problem is: when i run the code the INSERT not work and there's no log error:
str_query= "INSERT INTO t1 (id,age,name) VALUES (#ID,#AGE,#NAME) ";
request.input('ID',sql.int,NULL);
request.input('NAME',sql.varchar,NULL);
request.input('AGE',sql.int,NULL);
request.query(str_query, function (err, recordset) {//doing stuff}
So basically seems impossibile to insert a null value in a INT column. Is there any way?

Knex.js migration issue: Fails with ` relation "knex_migrations" does not exist`

I've been using knex.js successfully for a while now on this project, first time I've come accross this. I deleted all my migration files and dropped my db (locally) and instead used pg_dump to get the DDL and all data from my prod database (not including knex_migrations or knex_migrations_lock tables).
I created a new migration script and used knex.raw to paste all the SQL in. When I ran the migration script, I get the following:
error: insert into "knex_migrations" ("batch", "migration_time", "name") values ($1, $2, $3) - relation "knex_migrations" does not exist
This migration script is being run on a brand new database. When I change what's in the script to just be basic DDL, it works fine. So something about the result of pg_dump and trying to run it using knex is causing it to bomb out.
This isn't a ton of data either really, so I'm not too sure where I'm going wrong - knex is responsible for creating the migration tables and I've made sure there's no mention of knex or migration tables in the DDL.
Any suggestions would be greatly appreciated :)
The table knex_migrations and knex_migrations_lock will be created on running the command
knex migrate:make <name of migration>
Could you please confirm you have executed above knex command.
Once that is done running
knex migrate:latest
should create all schema you have mention. knex.raw
Using pd_dump to dump a database to an sql file, there occurs some additional lines in the beginning of the sql such as:
SET statement_timeout = 0;
SET lock_timeout = 0;
SET idle_in_transaction_session_timeout = 0;
SET client_encoding = 'UTF8';
SET standard_conforming_strings = on;
SELECT pg_catalog.set_config('search_path', '', false);
SET check_function_bodies = false;
SET xmloption = content;
SET client_min_messages = warning;
SET row_security = off;
comment those out and the migration should work. You can uncomment one statement at a time to see which one is causing the problem.
I just went down this hole. The following line is the culprit.
SELECT pg_catalog.set_config('search_path', '', false);
It's removing your search path so knex doesn't know where to find anything.

Discord.js read client bot token from a file rather than hard-coded

I want to be able to read the client.login(BOT_TOKEN); dynamically from a file/database, but this is getting executed before my file read function finishes executing.
BOT_TOKEN = '';
if(BUILD_PROFILE == 'dev'){
filesystem.readFile('./../devToken.txt', 'utf8', (err, data) => {
if(err) throw err;
console.log(data);
BOT_TOKEN = data;
})
}
client.login(BOT_TOKEN);
This is the error I'm getting in logs - I have double checked the file and it's console.log(data) shows the right token, but it's not being applied
I suggest you place your token in an ENV file.
I also think you should copy your token directly from your bot's bot page on discord and pasting it directly.
You console.log'd the data was it the right token?
A very easy way to do this would be to have a config.js file in your main bot folder, and set out the
{
token: “token-here”
}
Then, in your main.js file, require the config file as a variable, then at your ‘bot.login’, just do ‘bot.login(config.token)’
You can also have your prefix set in this file too, allowing a user to possibly change your command prefix in the future
Additionally, you could use a SQLite database, that saves your token - you have to have the SQLite npm library, from https://www.npmjs.com/package/sqlite here, but it is very simple to set up, if anyone needs help here, add my discord Proto#4992
n.m. SQLite databases also will come in useful when/if you want to set up a currency system in the future.

MySQL not returning data in Node

I have the following JavaScript that I am executing through Node
function afterConnection() {
var query = connection.query("SELECT * FROM playlist;", function (err, res) {
if (err) throw err;
console.log(res);
connection.end();
});
console.log(`The query that ran: ${query.sql}`)
}
Pretty basic. If I execute this code from my Windows 10 machine running MySQL 8 this logs the result set to the console. If I run this same code on macOS 13.5 running the same version of MySQL the code prints an empty array to the console. I know that I am connected to MySQL because if I change the query to something entirely invalid (like trying to SELECT from a table that doesn't exist) I get an error back saying the Table is invalid. So MySQL is consuming the command but isn't sending back a result. If i run the query directly in MySQL it returns the data I would expect. I have double checked my connection strings and there doesn't seem to be any problem there. Additionally if I run the query directly in Workbench data is returned from there as I would expect. Any thoughts?

Error: The Mongo server and the Meteor query disagree on how many documents match your query. Maybe it is hitting a Mongo edge case? The query is: {}

Exception in defer callback: Error: The Mongo server and the Meteor query disagree on how many documents match your query. Maybe it is hitting a Mongo edge case? The query is: {}
I20180319-12:18:14.344(5.5)? at packages/mongo/oplog_observe_driver.js:881:15
I20180319-12:18:14.345(5.5)? at Object.Meteor._noYieldsAllowed (packages/meteor.js:730:12)
I20180319-12:18:14.345(5.5)? at OplogObserveDriver._publishNewResults (packages/mongo/oplog_observe_driver.js:851:12)
I20180319-12:18:14.345(5.5)? at OplogObserveDriver._runQuery (packages/mongo/oplog_observe_driver.js:758:10)
I20180319-12:18:14.346(5.5)? at OplogObserveDriver._runInitialQuery (packages/mongo/oplog_observe_driver.js:658:10)
I20180319-12:18:14.346(5.5)? at packages/mongo/oplog_observe_driver.js:191:10
I20180319-12:18:14.346(5.5)? at packages/mongo/oplog_observe_driver.js:15:9
I20180319-12:18:14.346(5.5)? at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:26)
I20180319-12:18:14.347(5.5)? at packages/meteor.js:502:25
I20180319-12:18:14.347(5.5)? at runWithEnvironment (packages/meteor.js:1238:24)
This is the full exception I'm getting, it started coming as I update meteor to 1.6.1 from 1.6.0, on change in code just updated my meteor, I can't show the code as it's confidential but can some give me any hint on what part of my code should I look for example : on helpers, meteor call, meteor method, router etc.
Or can any body give me idea why this error came.
In case you haven't found a solution yet:
This bug comes from the handling of undefined values in Mongo and JSON/EJSON.
Because undefined doesn't exist in JSON, the key-value pair gets stripped from the query before being passed to Mongo. This is why the error says The query is: {}.
Meteor have a fix for this in the pipeline for the next version, but in the mean time you can update affected queries to test for undefined and replace it with null
reference: https://github.com/meteor/meteor/issues/9619

Categories