Skip to content

Escape single quotes for sql injection #554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2022
Merged

Escape single quotes for sql injection #554

merged 1 commit into from
Feb 13, 2022

Conversation

tskong
Copy link
Contributor

@tskong tskong commented Feb 9, 2022

No description provided.

@ahmad-moussawi
Copy link
Contributor

Curious to know more about this, and why it's needed
@tskong
Copy link
Contributor Author

tskong commented Feb 11, 2022

Hi, we did a veracode scan over the code and this was picked up. This fix is to address this issue, I'm hoping it's correct. The unit tests all pass.

 sonatype-2019-0547 The SqlKata package is vulnerable to SQL Injection. The ChangeToSqlValue function in QueryBuilder.dll does not escape single quotes (') in user-supplied input, which is used to construct and execute SQL queries. A remote attacker can exploit this behavior by supplying specially-crafted input, allowing them to alter the SQL query in order to exfiltrate or modify data in an affected database.
@ahmad-moussawi
Copy link
Contributor

Actually, the ToString() method is not designed to be executed, but I don't think this will affect the output in a bad way.
@ahmad-moussawi ahmad-moussawi merged commit a1f8e3f into sqlkata:master Feb 13, 2022
@tskong tskong mentioned this pull request Feb 14, 2022
Closed
@kmataru
Copy link

kmataru commented Mar 28, 2022

I am curious about this. Will there be any package release soon that wraps this?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@tskong @ahmad-moussawi @kmataru