Skip to content

Instantly share code, notes, and snippets.

Last active December 31, 2019 22:05
What would you like to do?
Example of an SQL injection attack for the Cosmos DB
// Called through:
// Query username from URL parameter
const username = req.query.username;
// Create SQL query
const sqlQuery = "SELECT * FROM c WHERE'" + username + "'";
// -> SQL Query is: SELECT * FROM c WHERE'' OR '1'='1'
// Execute SQL query
const queryResponse = await container.items.query(sqlQuery).toArray();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment