Skip to content

A question about SQL injection #130

Answered by shane-circuithub
lorenzo asked this question in Q&A
Discussion options

You must be logged in to vote

I have some very unfinished work to add support for prepared statements to Rel8. The Hasql library which we build on top of supports Postgres parameters and prepared statements, but it needs some non-trivial plumbing to integrate that with Rel8.

Having said that, unless you're using unsafeLiteral, I don't think you need to be worried about SQL injections with lit. For example:

putStrLn $ showQuery $ pure $ lit @(Expr Text) "Robert' ); DROP TABLE Students;--"
SELECT
CAST(CAST(E'Robert'' ); DROP TABLE Students;--' AS text) AS text) as "anon"
FROM (SELECT
      0) as "T1"

As you can see, the ' is escaped to '' in the generated SQL.

Replies: 3 comments

Comment options

You must be logged in to vote
0 replies
Answer selected by ocharles
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
3 participants
Converted from issue

This discussion was converted from issue #129 on July 26, 2021 09:29.