Skip to content

Instantly share code, notes, and snippets.

@jearl4
Last active May 25, 2019 04:01
Show Gist options
  • Save jearl4/f89b520ec410781cfc0747d261b72d60 to your computer and use it in GitHub Desktop.
Save jearl4/f89b520ec410781cfc0747d261b72d60 to your computer and use it in GitHub Desktop.
Using prepared statements to protect against SQLI
function authenticate(req, res, next){
const username = req.query.username,
password = req.query.password
let preparedStatement = new sql.PreparedStatment(),
sqlQuery = "select * from users where (username = @username and password = @password)"
preparedStatement.input('username', sqlVarChar(50))
preparedStatement.input('password', sqlVarChar(50))
preparedStatement.prepare(sqlQuery)
.then(function(){
return preparedStatement.execute({username: username, password: password})
.then(function(recordset){
if(recordset.length == 1){
loggedIn = true
//successful log in
} else {
//authentication failed
}
})
})
.catch(next)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment